From "Steve McDonnell" [stevem@resimac.co.uk]I have only seen a single sample of this with an attachment named Invoices001396,1406-11.2015.xls which has a VirusTotal detection rate of 3/54 and which contains this malicious macro [pastebin] which (according to this Hybrid Analysis report) in this case downloads a binary (very slowly!) from:
Date Mon, 09 Nov 2015 18:24:23 +0530
Subject OUTSTANDING INVOICES
Dear,
Please find attached invoices 1396 & 1406 which are now outstanding.
I should be grateful if you would let me know when they are going to be paid.
Kind Regards
Steve McDonnell
Company Secretary
Resimac Ltd
Unit 11, Poplars Industrial Estate
Wetherby Road, Boroughbridge
North Yorkshire, YO51 9HS
UNITED KINGDOM
Tel: +44 (0) 1423 325073
Web: www.resimacsolutions.com
We are members of...
MIB Vertical logo stacked - Bottom - North East
NOF Logo
www.davidcaballero.com/87yte55/6t45eyv.exe
The VirusTotal detection rate for this binary is 3/55. That report indicates network traffic to:
89.108.71.148 (Agava Ltd, Russia)
Other analyses are pending, however I strongly recommend that you block traffic to that IP. The paylaod is likely to be the Dridex banking trojan.
MD5s:
b227c91fbc1ba56e9f01ab4f1e2e502f
25e28f3ffc62bb55131b312d99c8f33b
UPDATE:
This Malwr report also shows traffic to the same IP address.
No comments:
Post a Comment