From: scan@victimdomainThe spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54 and contained this malicious macro [pastebin]. .
Reply-To: scan@victimdomain
To: hiett@victimdomain
Date: 30 November 2015 at 09:22
Subject: Message from mibser_00919013013
According to this Hybrid Analysis report and this Malwr report the macro downloads a malicious executable from:
velitolu.com/89u87/454sd.exe
This binary has a detection rate of 3/55. Automated report tools [1] [2] show network traffic to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
42.117.2.85 (FPT Telecom Company, Russia)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
5.63.88.100 (Centr, Kazakhstan)
The payload is likely to be the Dridex banking trojan:
MD5s:
1fac282d89e9af6fd548db2c71124c38
b77b2b6b80968b458e838d3a40e10551
Recommended blocklist:
94.73.155.12
42.117.2.85
89.189.174.19
5.63.88.100
No comments:
Post a Comment