From Foyle Food Group Limited [accounts@foylefoodgroup.com]I haven't had the chance to do the analysis myself, so I am relying on the analysis of a contact (thank you). The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
Date Fri, 29 Jan 2016 17:58:37 +0700
Subject Despatch Note FFGDES34309
Please find attached Despatch Note FFGDES34309
jjcoll.in/56gf/g545.exe
romana.fi/56gf/g545.exe
clickchiropractic.com/56gf/g545.exe
This has an MD5 of d88c2bed761c7384d0e8657477af9da7 and a detection rate of 6/49. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220.
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3
No comments:
Post a Comment