From: Allen, Claire [Claire.Allen@snapon.com]I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:
Date: 24 February 2015 at 14:41
Subject: Copy invoices Snap on Tools Ltd
Good Afternoon
Attached are the copy invoices that you requested.
Regards
Claire
Your message is ready to be sent with the following file or link attachments:
SKETTDCCSMF14122514571
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
http://ws6btg41m.homepage.t-online.de/025/42.exe
This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:
91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)
According to this Malwr report it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].
Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227
MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d
No comments:
Post a Comment