From: Chris Christou [chris.christou@greysimmonds.co.uk]
Date: 26 February 2015 at 10:45
Subject: Copy invoices
Hello ,
Please find copy invoices attached as per our telephone conversation.
Kind regards,
Chris
Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel: 0845 130 9070
Fax: 0845 370 9071
Email: chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com
P “Think before you Print” - Please consider the environment before printing this e-mail
It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.
I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:
http://xomma.net/js/bin.exe
This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)
This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119
No comments:
Post a Comment