Dynamoo's Blog: Malware spam: "Emailing: 120205 Letter-response A3 2-2" / Tim Speed [Tim@plan4print.co.uk]

Wednesday, 20 January 2016

Malware spam: "Emailing: 120205 Letter-response A3 2-2" / Tim Speed [Tim@plan4print.co.uk]

Tim Speed is really a super name for a printer. Better for a racing driver, but still good for a printer. Anyway, this fake financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple forgery with a malicious attachment.

From     Tim Speed [Tim@plan4print.co.uk]
Date     Wed, 20 Jan 2016 14:33:24 +0300
Subject     Emailing: 120205 Letter-response A3 2-2

Hi
Please find estimate attached for Letter-response A3 2-2
Kind regards
Tim Speed
Estimator / Account Handler
Tel: 0115 944 3377 Ext 104

Click here to check out our BRAND NEW website
Goshawk Road, Quarry Hill Industrial Park, Ilkeston, Derbyshire, DE7 4RG
Tel: 0115 944 3377 Fax: 0115 944 3388 Web: www.plan4print.co.uk
Email: tim@plan4print.co.uk

Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54. The Malwr report shows it downloading from:

www.lassethoresen.com/98jh6d5/89hg56fd.exe

This is the same malicious binary as used in this earlier attack. The payload is the Dridex banking trojan.

2 comments:

FletchSec said...: URL written into the strings for the sample I saw:

http://202.191.112[.]60/~n02022-1/98jh6d5/89hg56fd.exe]; 20 January 2016 at 14:00
Asdf ASDF said...: Thank you for sharing. Your sample unpacks to this:

https://www.virustotal.com/en/file/3c8bcaf6c1092d302a7cadd8a8bda20535d2fbd0ae5de1d1384575d14907bb18/analysis/1453298086/

The Botnet ID is 220.; 20 January 2016 at 14:13

Dynamoo's Blog

Link List

Sponsored by..

Wednesday, 20 January 2016

Malware spam: "Emailing: 120205 Letter-response A3 2-2" / Tim Speed [Tim@plan4print.co.uk]

2 comments: