From: Kairen Varker [mailto:kvarker@notifications.kashflow.com] On Behalf Of Kairen VarkerIn this case the attachment is called Invoice-83230.xls which is currently undetected by AV vendors. It contains this malicious macro [pastebin] which downloads a component from the following location (although there are probably more than this):
Sent: Tuesday, April 14, 2015 9:26 AM
Subject: Invoice from
I have made the changes need and the site is now mobile ready . Invoice is attached
http://925balibeads.com/94/053.exe
This is saved as %TEMP%\stepk1.5a.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] [4] shows the malware phoning home to:
78.24.218.186 (TheFirst-RU, Russia)
176.67.160.187 (UK2, UK)
87.236.215.151 (OneGbits, Lithuania)
154.69.104.137 (Sandton Telkom, South Africa)
107.191.46.222 (Vultr Holdings / Choopa LLC, Canada)
94.23.171.198 (OVH, Czech Republic)
74.119.194.18 (RuWeb Corp, US)
37.140.199.100 (Reg.Ru Hosting, RUssia)
89.28.83.228 (StarNet SRL, Moldova)
The Malwr report shows that among other files it drops a malicious Dridex DLL with a detection rate of 2/57.
Recommended blocklist:
78.24.218.186
184.25.56.188
176.67.160.187
87.236.215.151
154.69.104.137
107.191.46.222
94.23.171.198
74.119.194.18
37.140.199.100
89.28.83.228
MD5s:
e46dcc4a49547b547f357a948337b929
1748fc9c5c0587373bf15a6bda380543
1e010195d2e5f6096095078482624995
No comments:
Post a Comment