From "reports@officeteam.co.uk" [reports@officeteam.co.uk]In the only sample I have seen there was an attachment SalesOrderAcknowledgement_EF150085.zip which in turn contained a malicious executable SalesOrderAcknowledgement.scr which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows that amongst other traffic, it communicates with a familiar Nigerian IP of 197.149.90.166 (Cobranet).
Date Fri, 11 Sep 2015 10:39:32 GMT
Subject Sales Order Acknowledgement - Order No: EF150085 - Your Reference: 14 /Geneva
Please find attached your sales order acknowledgement
Order No: EF150085
Account: PFM895
Your Reference: 14 /Geneva
Web Reference:
Kind Regards
Office Team
In this case, the payload is Upatre downloading the Dyre banking trojan.
MD5:
0a7e68a84765d639210b77575c2373bd
No comments:
Post a Comment