From [accounts@nolettinggo.co.uk]In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56. This particular document contains this malicious macro [pastebin] which downloads a malware component from the following location:
Date Mon, 12 Oct 2015 11:43:16 +0330
Subject Insurance
Dear all
Please find attached insurance paperwork including EL certificate. Invoices
will follow at the beginning of November.
Regards
Karen
ukenterprisetours.com/877453tr/rebrb45t.exe
The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56.
That VirusTotal report and this Hybrid Analysis report show network traffic to:
149.210.180.13 (TransIP BV, Netherlands)
I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan.
MD5s:
6b0c1290d653a4f92a6214a9c91bd23b
04e1476d464fafa559bd1bd8ea38749c
2 comments:
Many thanks, have that email in my inbox but knew it was not legit. Many thanks for confirmation.
I wonder what they get out of spam mail like this. It doesn't seem as though they can get money or finance information out of it with replies. It's probably a virus of sorts.
Post a Comment