From [random]The subject of the email is some randomly-generated sentence, which matches the name of the attached ZIP file. I have seen two samples so far with a detection rate of 3/55 and 2/55 respectively.
Date Wed, 28 Oct 2015 10:39:26 +0100
Subject [random]
Dear :
Boat has been done a week now. I contacted you last week
The
Boat is ready to pick up, I have had inquiries as to people wanting to
buy it,
the carb is in your possession and there is no way to run it,
The boat could
sell real easy at this time of year , Memorial day to 4th of
July most boats
are sold.
Please call me to arrange payment and pickup of the Boat ,
If you
need me to store the boat I can do that at the storage facility ,
they do
charge a fee for this 7.00 per day
The other Invoice for the embroidery will
follow , Balance is due now !
Thanks
Your invoice is attached. Please
remit payment
Thank you for your business - we appreciate it very
much.
Sincerely,
Don and Carol Racine
Racine Design, Inc.
2036 Imeson
Rd
Jacksonville, Fl. 32220
boatclinic@aol.com
www.boatclinic.net
phone (904) 771-8170
fax
(904) 771-0843
Analysis of the binary is pending (please check back), but the payload here is Upatre/Dyre which commonly calls back to 197.149.90.166 (Cobranet, Nigeria), an IP I strongly recommended that you block.
UPDATE:
The reverse.it report shows that the malware does indeed call back to that Nigerian IP address.
No comments:
Post a Comment