From Ivan Jarman [IJarman@sportsafeuk.com]I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54 and which contains this malicious macro [pastebin].
Date Fri, 27 Nov 2015 17:21:27 +0530
Subject Invoice
Sent 27 NOV 15 09:35
Sportsafe UK Ltd
Unit 2 Moorside
Eastgates
Colchester
Essex
CO1 2TJ
Telephone 01206 795265
Fax 01206 795284
This Malwr report shows the macro downloads from:
kidsmatter2us.org/~parentsm/76f6d5/54sdfg7h8j.exe
The executable has a detection rate of 3/55. The Hybrid Analysis report shows network traffic to:
198.57.243.108 (Unified Layer, US)
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
37.128.132.96 (Memset, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
217.160.110.232 (1&1, Germany)
202.137.31.219 (Linknet, Indonesia)
91.212.89.239 (Uzinfocom, Uzbekistan)
The payload is probably the Dridex banking trojan.
MD5s:
6e5654da58c03df6808466f0197207ed
b7bb1381da652290534605e5254361bd
Recommended blocklist:
198.57.243.108
94.73.155.8/29
77.221.140.99
37.128.132.96
37.99.146.27
217.160.110.232
202.137.31.219
91.212.89.239
No comments:
Post a Comment