From "Donna Vipond" [donna.vipond@ev-ent.co.uk]Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report [1] [2]). The samples I saw downloaded a file from either:
Date Tue, 30 Jun 2015 13:13:28 +0100
Subject Payment due - 75805
Please advise when we can expect to receive payment of the attached
invoice now due? I await to hear from you.
Kind Regards
Donna Vipond
Accounts
Event Furniture Ltd T/A Event Hire
Tel: 01922 628961 x 201
www.medisinskyogaterapi.no/59/56.exe
www.carpstory.de/59/56.exe
This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55. The various analyses including this Malwr report and this Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany).
The payload is probably the Dridex banking trojan.
Recommended blocklist:
78.47.139.58
MD5s:
e704ff948e791ad67d2c46238629335d
b93dfe419fd9c2638fb4afce85efa3f2
25871a5bbeb85b0fbc07531cfc6193ce
No comments:
Post a Comment