From: Bobby Drell [rob@abbottpainting.com]Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:
Date: 5 March 2015 at 10:27
Subject: Brochure2.doc
Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell
http://data.gmsllp.com/js/bin.exe
This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.
Automated analysis tools [1] [2] show it phoning home to the following IPs:
92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)
Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.
Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
No comments:
Post a Comment