Sponsored by..

Friday 27 November 2015

Malware spam: "Invoice" / "Ivan Jarman [IJarman@sportsafeuk.com]"

This fake invoice does not come from Sportsafe UK Ltd but is instead a simple forgery with a malicious attachment.

From     Ivan Jarman [IJarman@sportsafeuk.com]
Date     Fri, 27 Nov 2015 17:21:27 +0530
Subject     Invoice

Sent 27 NOV 15 09:35

Sportsafe UK Ltd
Unit 2 Moorside
Eastgates
Colchester
Essex
CO1 2TJ

Telephone 01206 795265
Fax 01206 795284 
I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54 and which contains this malicious macro [pastebin].

This Malwr report shows the macro downloads from:

kidsmatter2us.org/~parentsm/76f6d5/54sdfg7h8j.exe

The executable has a detection rate of 3/55. The Hybrid Analysis report shows network traffic to:

198.57.243.108 (Unified Layer, US)
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
37.128.132.96 (Memset, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
217.160.110.232 (1&1, Germany)
202.137.31.219 (Linknet, Indonesia)
91.212.89.239 (Uzinfocom, Uzbekistan)


The payload is probably the Dridex banking trojan.

MD5s:
6e5654da58c03df6808466f0197207ed
b7bb1381da652290534605e5254361bd

Recommended blocklist:
198.57.243.108
94.73.155.8/29
77.221.140.99
37.128.132.96
37.99.146.27
217.160.110.232
202.137.31.219
91.212.89.239


No comments: