Attached is a file Advance Shipping Notification 0068352929.DOC which my sources (thank you, btw) say comes in four different versions, although I have only seen three (VirusTotal results [1] [2] [3], Hybrid Analysis results [4] [5] [6]) containing a macro that looks like this [pastebin]. The download locations are:
From ACUVUE_DEL [ship-confirm@acuvue.com]
Date Tue, 03 Nov 2015 12:26:17 +0200
Subject Delivery Confirmation: 0068352929
PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
builders-solutions.com/45gce333/097j6h5d.exe
goalaskatours.com/45gce333/097j6h5d.exe
www.frontiernet.net/~propertiespricedtosell/45gce333/097j6h5d.exe
www.prolococopparo.it/45gce333/097j6h5d.exe
This malicious binary has a VirusTotal detection rate of 6/54. That VT report and this Hybrid Analysis report show network communications to the following IPs:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
The payload is most likely to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56
MD5s:
c6cefd2923164aa14a3bbaf0dfbea669
8de322b1fb6a2cc3cbe237baa8d5f277
110d5fde265cd25842b63b9ec4e57b3c
dcf4314773c61d3dde6226a2d67424e8
274695746758801bfb68f46f79bfb638
2 comments:
Looks like the first hash is missing a few characters
@Gauz73, fixed.. thanks.
Post a Comment