From: Simon Harrington [simonharrington@talktalk.net]Instead of having an attachment, it has a Base 64 encoded section like this:
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA AAAAEAAALAAAAAQAAAD+////AAAAACkAAAB+AAAA////////////////////////////////
As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].
This macro downloads a malicious component from:
http://irpanet.com/1/09.exe
Which has a VirusTotal detection rate of 7/56. This Malwr report shows it communicating with the same IPs we saw earlier:
31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)
It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.
Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214
MD5s:
0d02257ec18b92b3c1cf58b8cb6b3d37
cef5555f191735867c34868c346501ad
Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..
No comments:
Post a Comment