From: admin.scanner@victimdomain
Date: 11 March 2015 at 08:49
Subject: Message from "RNP0026735991E2"
This E-mail was sent from "RNP0026735991E2" (MP C305).
Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain
Attachment: 201503071457.xls
----------
From: Jora Service [jora.service@yahoo.com]
Date: 11 March 2015 at 09:27
Subject: inv.09.03
Attachment: INV 86-09.03.2015.xls
Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:
http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe
The file is then saved as %TEMP%\fJChjfgD675eDTU.exe which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:
188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)
It also drops a couple more malicious binaries with the following MD5s:
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]
Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159
No comments:
Post a Comment