From: Hayley Sweeney [admins@bttcomms.com]So far I have only seen one sample with an attachment Invoice_68362.doc which contains this malicious macro [pastebin] which downloads a malicious executable from:
Date: 10 June 2015 at 11:20
Subject: Your monthly BTT telephone bill
Please find attached your telephone bill for last month.
This message was sent automatically.
For any queries relating to this bill, please contact Customer Services on 01536 211100.
http://www.jimaimracing.co.uk/64/11.exe
This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.
Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10
MD5s:
80e51715a4242d0d25668d499796b733
10e4291882e2d45a1a7a52e7d93a5579
53f8addb0e1734be13735e51332b2e90
No comments:
Post a Comment