From: no-reply@123-reg.co.ukAttached is a Word document 123-reg-invoice.doc which contains a malicious macro [pastebin] and has a detection rate of 5/57. There may be several different versions of this macro, but the sample I saw downloaded a file from:
Date: 12 May 2015 at 10:17
Subject: Copy of your 123-reg invoice ( 123-015309323 )
Hi,
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team.
https://www.123-reg.co.uk
About us | Privacy policy
© Copyright 123-reg - Part of Webfusion Ltd
Webfusion Ltd is a company registered in England and Wales with company number 05306504. Our VAT number is 927 1292 22. The address of our registered office is: 5 Roundwood Avenue, Stockley Park, Uxbridge, Middlesex, UB11 1FF.
http://fosteringmemories.com/432/77.exe
..which is saved as %TEMP%\ihmail4.1.0.exe and has a VirusTotal detection rate of 5/56. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs:
37.143.15.116 (Internet-Hosting Ltd, Russia)
62.152.36.90 (Host Telecom Net, Russia)
89.28.83.228 (StarNet SRL, Moldova)
185.15.185.201 (Colobridge gmbh, Germany)
According to this Malwr report it also drops a Dridex DLL with a detection rate of 3/57.
Recommended blocklist:
37.143.15.116
62.152.36.90
89.28.83.228
185.15.185.201
MD5s:
3fcc933847779784ece1c1f8ca0cb8e4
3540c517132a8a4cd543086270363447
0bb376ba96868461ffa04dd70dc41342
No comments:
Post a Comment