Sponsored by..

Monday 1 June 2015

Malware spam: "Uplata po pon 43421" / "Mirjana Prgomet [mirjana@fokus-medical.hr]"

I have no idea what "Uplata po pon" means, but this spam does come with a malicious attachment:

From:    Mirjana Prgomet [mirjana@fokus-medical.hr]
Date:    20 May 2015 at 08:26
Subject:    Uplata po pon 43421
There is no body text, but the only example I saw had an attachment name of report20520159260[1].doc which contained this malicious macro [pastebin] which downloads a malicious executable from:



http://uvnetwork.ca/1/09.exe


This is saved as %TEMP%\eldshrt1.exe and has a VirusTotal detection rate of 3/56. There are probably other download locations with other variants of the document, but the payload should be the same in each case.



Automated analysis tools [1] [2] [3] indicate network traffic to the following locations:


31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)


The Malwr report shows that it drops a Dridex DLL with a detection rate of 5/53.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
7008675da5c1b0a6b59834d125fafa45
cef5555f191735867c34868c346501ad

No comments: