From tracey.beedles@eurocarparts.comThe attachment is named pmB3A6.doc and it comes in at least four different versions (VirusTotal results [1] [2] [3] [4]) and it contains a malicious macro like this [pastebin] which according to these Hybrid Analysis results [5] [6] [7] [8] downloads a malicious binary from one of the three following locations:
Date Fri, 20 Nov 2015 18:49:06 +0700
Subject Reprint Document archive
Attached is a Print Manager form.
Format = Word Document Format File (DOC)
pr-clanky.kvalitne.cz/65y3fd23d/87i4g3d2d2.exe
buzmenajerlik.com.tr/65y3fd23d/87i4g3d2d2.exe
irisbordados.com/65y3fd23d/87i4g3d2d2.exe
This executable has a detection rate of 4/52 and according to that VT report and this Malwr report there is network traffic to:
157.252.245.32 (Trinity College Hartford, US)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
Interesting, if you look at the Hybrid Analysis report and others, the executable masquerades as mbar.exe / Malwarebytes Anti-Rootkit. The payload is most likely to be the Dridex banking trojan.
Recommended blocklist:
157.252.245.32
89.32.145.12
MD5s:
ee5be0095669fb4456d2643359a174be
236244800e8f00d98a30d7d073ca3b41
e5413387decf22d3dfe3c899e43e6c25
e23b22e8bf2c97dbadd4eaa1e4e6fa21
4bd1b0bcc9bbf1889ccbd0ca0f82d5b5
No comments:
Post a Comment