From "info" [info@norfolkdance.co.uk]Attached is a file Receipt.doc which I have seen in two different versions (VT detection rate 4/56 and 3/56) each containing a different malicious macro [1] [2] [Pastebin] which download a malicious binary from one of the following locations:
Date Thu, 08 Oct 2015 12:39:28 +0300
Subject Receipt from Norfolk Dance
Please find receipt for payment attached.
Many Thanks
Norfolk Dance
14 Chapel Field North
Norwich
Norfolk
NR2 1NY
Telephone: 01603 283399
E mail: info@norfolkdance.co.uk
katastimataone.com/bvcb34d/983bv3.exe
archives.wnpvam.com/bvcb34d/983bv3.exe
This is saved as %TEMP%\fDe12.exe and currently has a VirusTotal detection rate of 4/55. The VirusTotal report indicates traffic to the following IP:
198.61.187.234 (Rackspace, US)
I recommend that you block traffic to this IP. Automated analysis is pending (check back later) but the payload is almost definitely the Dridex banking trojan.
MD5s:
bb4d2d606091de154e81e292036981c8
80fba8c6b4947cea3d55cef66515d70f
1f5d975dedd140e62f794993792d906b
de413dd09e70e1dc48c5060afe3f87f0
70570b4d1806a25414959d7967bb542f
Update:
The Hybrid Analysis report for the DOC file is here, and their analysis of the executable is available here with a Malwr report also here.
No comments:
Post a Comment