From Ray White [rw@raylian.co.uk]
Date Thu, 15 Oct 2015 10:56:35 +0200
Subject [Scan] 2015-10-14 5:29:54 p.m.
Amanda's attached.
In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro [pastebin] . The Hybrid Analysis report shows this particular version (there will be others) downloading a binary from:
sdhstribrnalhota.xf.cz/86575765/6757645.exe
Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56 and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report for this indicates connections to:
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.
Recommended blocklist:
89.32.145.12
195.154.251.123
MD5s:
30e1ad13b091ec24935724ed0abf62ca
bc571b3cfa8902da248420ba5e765a40
1 comment:
Hi,
Attached is receipt of transfer regarding the deposit increase for our new contract to the Cherry Tree Cottage.
Let me know if its all sorted.
Frederico Kessler
Product Owner | Games Platform
gamesysign
4th Floor, 10 Piccadilly
London, W1J 0DD
Email: frederico.kessler@gamesys.co.uk
Post a Comment