Sponsored by..

Thursday, 15 October 2015

Malware spam: "[Scan] 2015-10-14 5:29:54 p.m." / "Ray White [rw@raylian.co.uk]"

This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery.

From     Ray White [rw@raylian.co.uk]
Date     Thu, 15 Oct 2015 10:56:35 +0200
Subject     [Scan] 2015-10-14 5:29:54 p.m.

Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:

sdhstribrnalhota.xf.cz/86575765/6757645.exe

Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:

89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)


The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.

Recommended blocklist:
89.32.145.12
195.154.251.123

MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40

1 comment:

OnFire for Driving said...

Hi,

Attached is receipt of transfer regarding the deposit increase for our new contract to the Cherry Tree Cottage.
Let me know if its all sorted.

Frederico Kessler
Product Owner | Games Platform

gamesysign
4th Floor, 10 Piccadilly
London, W1J 0DD

Email: frederico.kessler@gamesys.co.uk