From: Holly Humphreys [Holly.Humphreys@datanet.co.uk]I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro [pastebin] and has a VirusTotal detection rate of 3/55.
Date: 3 December 2015 at 08:57
Subject: Invoice from DATANET the Private Cloud Solutions Company
Dear Accounts Dept :
Your invoice is attached, thank you for your business.
If you have any queries please do not hesitate to contact us.
Regards
DATANET.CO.UK
01252 810010 Accounts Support from 9am to 5.30pm Monday to Friday
01252 813396 Technical Support from 8am to 8pm Monday to Friday
Please reply to Accounts@datanet.co.uk
________________________________
Holly Humphreys
Operations
Datanet - Hosting & Connectivity
E:
Holly.Humphreys@datanet.co.uk
W:
www.datanet.co.uk
T:
01252 810010
F:
01252 813391
S:
01252 813396 - Normal Support: 8am-8pm Mon-Fri, Critical Break Fix Support: 24x7
DATANET.CO.UK Limited, Cloud Hosting & Connectivity Service Provider. Datanet is an ISO 9001 & ISO 27001 certified
business with the mantra of "CIA" - "Confidentiality, Integrity and Availability" at the heart of our private cloud solutions.
Information contained in this communication is confidential or restricted and is solely for the use of the intended recipient and others authorised to receive it.
If you are not the intended recipient you are hereby notified that any disclosure, distribution or action taken based on this email is prohibited and may be unlawful.
Registered Office: DATANET.CO.UK Limited, Aspen House, Barley Way, Ancells Business Park, Fleet, Hampshire, GU51 2UT Registered in England - No. 03214053
According to this Malwr report and this Hybrid Analysis the XLS file downloads a malicious binary from :
encre.ie/u5y432/h54f3.exe
There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55 and that report plus this Malwr report indicate malicious network traffic to:
162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)
The payload is almost definitely the Dridex banking trojan.
MD5s:
1bfd7cdc2731ec85617555f63473e3c9
0dcb805a3efa215bde97aa1f32559b77
Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169
UPDATE
I have seen another version of the document with an MD5 of c7fa6a1f345aec2f1db349a80257f459 and a VirusTotal result of 3/54. According to this Malwr report it downloads from:
parentsmattertoo.org/u5y432/h54f3.exe
4 comments:
I have just received same email- thanks for the warning :)
Me too. Thanks much. I received both the Datanet and Industrial Cleaning Materials emails within an hour, early a.m. Dec 3, 2015.
Same here, both Datanet and Industrial Cleaning Materials emails late morning on the 3rd Dec.. Just did a quick search as I never open this sort of mail, thanks for the posts...
its doing the rounds... had a fewvothers recently...
Post a Comment