From: accounts@dennys.co.ukSo far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero. This contains this malicious macro [pastebin] which downloads another component from the following location:
Date: 27 February 2015 at 09:14
Subject: Dennys Invoice INV650988
To view the attached document, you will need the Microsoft Word installed on your system.
http://hew.homepage.t-online.de/js/bin.exe
This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57.
According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
http://apartmentprofile.su/conlib.php
http://paczuje.cba.pl/java/bin.exe
It drops several files, KB2896~1.EXE [VT 3/57], edg2.exe [VT 3/57] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday). (If you have a Malwr account you can download a copy of everthing from here)
Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
198.52.200.15 (Centarra Networks, US)
95.211.144.65 (Leaseweb, Netherlands)
195.114.0.64 (SuperHost.pl, Poland)
92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
59.97.137.171 (Broadband Multiplay Project, India)
104.232.32.119 (Net 3, US)
Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
198.52.200.15
78.140.164.160
59.97.137.171
104.232.32.119
No comments:
Post a Comment