Sponsored by..

Monday 22 June 2015

Malware spam: "Shareholder alert" / "instructions.zip size=21154.zipsize=21154"

This fake financial spam comes with a malicious attachment:

Date:    22 June 2015 at 13:07
Subject:    Shareholder alert

Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached.     Glen McCoy, Partner
Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.

The Malwr report indicates network traffic to:

http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK

93.93.194.202 is Orion Telekom in Serbia.

It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.

The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.

Recommended blocklist:
64.111.36.35
93.93.194.202

MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3


No comments: