From "info@123print" <[nfo@123print.co.uk]Attached is a file 4077774.doc for which I have seen three variants [1] [2] [3] [Hybrid Analysis] which downloads a malicious executable from one of the following locations:
Date Thu, 09 Jul 2015 12:09:12 +0200
Subject Your order No. 3269637 has been despatched
Dear customer
Your order 3269637 has been despatched.
Please see attachment for details.
robindesdroits.com/43/82.exe
illustramusic.com/43/82.exe
prodasynth.com/43/82.exe
Those sites are hosted on 213.186.33.19 and 213.186.33.87 which are OVH parking IPs.
That executable has a detection rate of 8/54 and automated analysis tools [1] [2] [3] show traffic to 62.210.214.106 (OVH, France). The payload is the Dridex banking trojan.
Recommended blocklist:
62.210.214.106
MD5s:
17cfe88703b471940c22aa01a367a2a3
404b61075c9b5cb7b8ecf107b4b4ccb0
53d0ee49815c7f9740b80fdbb50f599d
0488144945839b1a8cdf5ab6f37c471d
No comments:
Post a Comment