Date: 22 June 2015 at 13:07Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.
Subject: Shareholder alert
Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached. Glen McCoy, Partner
The Malwr report indicates network traffic to:
http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK
93.93.194.202 is Orion Telekom in Serbia.
It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.
The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.
Recommended blocklist:
64.111.36.35
93.93.194.202
MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3
No comments:
Post a Comment