From: noreply@cevalogistics.comThere is no body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro [pastebin] and it has a VirusTotal detection rate of 2/54. The comments on that VirusTotal report plus this Hybrid Analysis report indicate a malicious binary is downloaded from:
Date: 19 November 2015 at 10:27
Subject: [Shipping notification] N3043597 (PB UK)
iwcleaner.co.uk/8i65h4g53/o97i76u54.exe
This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54 and this Hybrid Analysis report shows malicious traffic to the following IP (which I recommend you block):
182.93.220.146 (Ministry of Education, Thailand)
The payload is almost definitely the Dridex banking trojan.
No comments:
Post a Comment