From: Natalie [mailto:accounts@living-water.co.uk]In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55. This contains a malicious macro [pastebin] which downloads a file from the following location:
Sent: Wednesday, April 15, 2015 9:43 AM
Subject: Invoice from Living Water
Dear Customer :
Your invoice is attached. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Living Water
0203 139 9051
http://adlitipcenaze.com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currecntly has a detection rate of 6/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100
MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
No comments:
Post a Comment