Sponsored by..

Thursday 19 November 2015

Malware spam: "Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]" / "support@postcodeanywhere.com"

This spam is not from postcodeanywhere.com but is instead a simple forgery with a malicious attachment. Unfortunately, I don't have the body text of the message, the hreaders are:

From     support@postcodeanywhere.com
Date     Thu, 19 Nov 2015 16:20:40 +0300
Subject     Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]
The attachment is EDMUN11118_181859.xls which comes in two different versions (VirusTotal results [1] [2]) which according to these Hybrid Analysis reports [3] [4] download a file from one of the following locations:

iwcleaner.co.uk/8i65h4g53/o97i76u54.exe
lapelsbadges.com//8i65h4g53/o97i76u54.exe [file not found]


This has a VirusTotal detection rate of 1/54 and that VirusTotal report indicates it phoning home to:

182.93.220.146 (Ministry Of Education, Thailand)

I strongly recommend that you block that IP address. The payload is the Dridex banking trojan.

MD5s
8e22032e0b5d338ef078f5aaf302fa4c
63e22e87b78f6f82d437c7b622a84945
8aba2ca4fd785759ad2ad262d9c62d2f







No comments: