From: sarah@hairandhealth.co.uk [mailto:sarah@hairandhealth.co.uk]Attached is a file Bank payment 100615.pdf [VT 2/57] which appears to drop a Word document with a malicious macro. Although there are probably several versions of this attachment, according to the Hybrid Analysis report it downloads a component from:
Sent: Monday, June 08, 2015 10:10 AM
Subject: Bank payment
Dear customer
Please find attached a bank payment for £3083.10 dated 10th June 2015 to pay invoice 1757. With thanks.
Kind regards
Sarah
Accounts
192.186.217.68/~banobatwo/15/10.exe
This is saved as %TEMP%\biksampc.exe and has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] indicate network traffic to the following IPs:
146.185.128.226 (Digital Ocean, Netherlands)
31.186.99.250 (Selectel, Russia)
176.99.6.10 (Global Telecommunications Ltd, Russia)
203.151.94.120 (Internet Thailand Company Limited, Thailand)
185.12.95.40 (RuWeb, Russia)
The Malwr report indicates that it drops a Dridex DLL with a detection rate of 4/57.
Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40
MD5s:
48d496afc9c2c123e1ab0c72822a7975
6cbd6126b5761efffbe10dafaa7a4bde
2e499cacb5b3a396a3b2a08bd0f4ce1e
No comments:
Post a Comment