Sponsored by..

Wednesday 16 December 2015

Malware spam: "Invoice No. 22696240" / "Sharon Samuels" [sharons463@brunel-promotions.co.uk]

This fake financial email does not come from Brunel Promotions but is instead a simple forgery with a malicious attachment.

From     "Sharon Samuels" [sharons463@brunel-promotions.co.uk]
Date     Wed, 16 Dec 2015 14:46:12 +0300
Subject     Invoice No. 22696240

  Good morning

Please find attached your latest invoice, for your attention.

Please be advised that your goods have been despatched for delivery.

Regards

Sharon
--------------------------------------------
Calendars and Diaries of Bristol Limited
Hope Road
Bedminster

BRISTOL
Bristol
BS3 3NZ
United Kingdom
Tel:01179636161
Fax:01179664235
Various details in the message change, such as the invoice number. I have seen two attachments with detection rates of 4/55 [1] [2] which according to Malwr [3] [4] download a malicious binary from the following locations:

winnig.privat.t-online.de/98g654d/4567gh98.exe
printempsroumain.org/98g654d/4567gh98.exe


This executable has a detection rate of 3/52 and these automated analyses [1] [2] [3] [4] indicate network traffic to:

199.7.136.84 (Megawire, Canada)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)


The payload is the Dridex banking trojan, probably.

MD5s:
d73d599ef434d7edad4697543a3e8a2b
7bcf4a947a74866debbcdeae068541fe
1cf8d5ab33c7e9e603d87d482c1c865d


Recommended blocklist:
199.7.136.84
202.69.40.173
221.132.35.56



No comments: