From accounts [accounts@equip4work.co.uk]Attached is a file SI823610.XLS which I have seen only one version of in several samples of the email. Usually there are different variants. In this case, the spreadsheet contains this malicious macro [pastebin] and has a VirusTotal score of 4/54. According to this Hybrid Analysis report it then downloads a malicious binary from:
Date Wed, 11 Nov 2015 14:54:33 +0400
Subject Invoice SI823610 from OfficeFurnitureOnline.co.uk Order Ref 4016584
Please find attached a sales invoice from OfficeFurnitureOnline.co.uk.
This email address is only for account enquiries, please check your confirmation
for any information regarding the order details or delivery lead times.
Thank you for your order.
kdojinyhb.wz.cz/87yte55/6t45eyv.exe
In turn, this binary has a detection rate of zero. Those two reports plus this Malwr report show between them malicious traffic to the following IPs:
95.154.203.249 (Iomart / Rapidswitch, UK)
182.93.220.146 (Ministry Of Education, Thailand)
89.32.145.12 (Elvsoft SRL / Coreix , Romania / UK)
The payload is the Dridex banking trojan.
Recommended blocklist:
95.154.203.249
182.93.220.146
89.32.145.12
wz.cz
MD5s:
37ceca4ac82d0ade9bac811217590ecd
01638daf6dfb757f9a27b3e8124b3324
4 comments:
Hi,
We have this email with the same attachment, however, the download location for the exe is http:\\conesulmodelismo.com\br\87yte55\6t45eyv.exe
Got this dodgy email today too.
Is there any suggested follow on for this type of dodgy email - eg where to report it?
Got this email today also. Deleted straight away but good to see others have detected this.
Here is the Hybrid Anlysis for conesulmodelismo.com.br
https://www.hybrid-analysis.com/sample/b2818610715f6e8e9a480b8fb731b1408be157a7f75ca36f0dd34efd28598822?environmentId=1
Overlapping IP from the callbacks: 89.32.145.12
Other recommended blocks:
221.132.35.56
89.108.71.148
200.169.17.48
conesulmodelismo.com.br
Post a Comment