Date: Mon, 09 Jun 2014 18:03:10 +0530 [08:33:10 EDT]Attached is an archive file invoice_2110254.zip which in turn contains the malicious executable invoice_98372342598730_pdf.exe which has a VirusTotal detection rate of 4/52. Automated analysis tools are not able to determine exactly what the malware does.
From: Ladonna Gray [wtgipagw@airtelbroadband.in]
Subject: inovice 2110254 June
This email contains an invoice file attachment
UPDATE 1: A Malwr analysis of the malware can be found here. It makes the following HTTP connections:
[donotclick]62.76.189.58:8080/dron/ge.php
[donotclick]62.76.41.73:8080/tst/b_cr.exe
It also drops a file KB05152056.exe which has a VirusTotal detection rate of 5/51. Analysis is pending.
UPDATE 2: the Malwr analysis of the second binary is here. This makes a connection to 62.76.185.30.
All the IP addresses listed belong to Clodo-Cloud in Russia:
62.76.41.73
62.76.185.30
62.76.189.58
Although there are probably some legitimate sites in these ranges, you might want to consider blocking the following if you feel like it:
62.76.40.0/21
62.76.184.0/21
No comments:
Post a Comment