From: Frances FigueroaThe value, sender's name and attachment name are randomly generated. The attachment is named in the format SCAN_INVOICE_79608749.zip which contains a malicious script that attempts to download Teslacrypt ransomware from the following locations:
Date: 16 December 2015 at 17:22
Subject: Your account has a debt and is past due
Dear Customer,
Our records show that your account has a debt of $345.{rand(10,99)}}. Previous attempts of collecting this sum have failed.
Down below you can find an attached file with the information on your case.
whatdidyaysay.com/80.exe?1
iamthewinnerhere.com/80.exe?1
This has a VirusTotal detection rate of 3/54 and an MD5 of 5c2a687f9235dd536834632c8185b32e. Those download locations have been registered specifically for this purpose (they are not hacked sites) and are hosted on:
176.99.12.87 (Global Telecommunications Ltd., Russia)
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
5.178.71.10 (Serverius, Netherlands)
The following malicious sites are also hosted on those IPs:
dns1.ojwekhsdfs.in
dns2.ojwekhsdfs.in
whatdidyaysay.com
washawaydesctrucion.com
dns1.mikymaus.in
dns2.mikymaus.in
dns1.saymylandgoodbye.in
dns2.saymylandgoodbye.in
dns2.auth-mail.ru
gammus.com
ifyougowegotoo.com
iamthewinnerhere.com
thewelltakeberlin.com
remarkablyxj.top
sufficientbe.top
domainsgmwills.top
ns2.directly-truimph.com
These automated reports [1] [2] [3] show that the malware calls home to these following legitimate but hacked domains:
sofiehughesphotography.com
goedkoop-weekendjeweg.net
coatesarchitecture.com
hotbizlist.com
adamhughes.in
magaz.mdoy.pro
Recommended minimum blocklist:
176.99.12.87
185.69.152.145
5.178.71.10
whatdidyaysay.com
iamthewinnerhere.com
No comments:
Post a Comment