From: Hector Malvido [handyman1181@hotmail.com]Attached is a file filename-1.doc (3/57 detection by AV vendors) which may come in many different versions, but the samples I have all have this malicious macro [pastebin] which downloads another component from the following location:
Date: 20 April 2015 at 10:51
Subject: Pending payment
This invoice shows in my records that has not being pay can you review your records please
http://kafilahgroup.com/55/55.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] [4] show it phoning home to:
89.28.83.228 (StarNet SLR, Moldova)
The Malwr report shows that it drops a Dridex DLL with a 3/57 detection rate.
Recommended blocklist:
89.28.83.228
MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e
1 comment:
Hi.
I was pretty sure that the email was spam, but I googled the name "Hector Malvido" just out of curiosity and found your website. Thank you for confirming my suspicion and for your good work. :)
Post a Comment