From [haywardsheath@hpsmerchant.co.uk]
Date Tue, 04 Aug 2015 12:19:56 +0200
Subject INVOICE HH / 114954
Please find attached INVOICE HH / 114954
--
Automated mail message produced by DbMail.
Registered to Heating & Plumbing Supplies, License MBS2009358.
Attached is a file R-20787.doc which contains a malicious macro like this one [pastebin] that comes in at least two different versions, downloading from the following URLs:
mszpdorog.hu/45g33/34t2d3.exe
cvaglobal.com/45g33/34t2d3.exe
The Hybrid Analysis reports [1] [2] give some insight as the the characteristics of the malicious document. The downloaded file has a VirusTotal detection rate of 3/55. Automated analysis [1] [2] shows traffic to the following IPs:
194.58.111.157 (Reg.RU, Russia)
62.210.214.106 (Iliad / Online S.A.S., France)
31.131.251.33 (Selectel, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33
MD5s:
8f3063ef8032799f71507b8f88f8a1c5
64011582b5dfa8fd79d823957a569b5f
3303a507e6584136c39c354085760987
No comments:
Post a Comment