From: Bettye DavidsonSo far I have seen a couple of different versions of the attachment (VirusTotal [1] [2]) which according to Malwr [3] [4] both download a malicious binary from:
Date: 21 January 2016 at 08:24
Subject: Invoice from DRAGON OIL - 8454985
Please find attached a copy of your invoice
Many Thanks
Bettye Davidson
DRAGON OIL
Attachment: DRAGON OIL - inv8454985.DOC
================
From: Charlotte Atkinson
Date: 21 January 2016 at 08:23
Subject: Invoice from GULF FINANCE HOUSE - 40610
Please find attached a copy of your invoice
Many Thanks
Charlotte Atkinson
GULF FINANCE HOUSE
Attachment: GULF FINANCE HOUSE - inv40610.DOC
================
From: Lucien Drake
Date: 21 January 2016 at 09:26
Subject: Invoice from HYDROGEN GROUP PLC - 477397
Please find attached a copy of your invoice
Many Thanks
Lucien Drake
HYDROGEN GROUP PLC
Attachment: HYDROGEN GROUP PLC - inv477397.doc
5.189.216.101/dropbox/download.php
This IP belongs to LLHost Inc, Netherlands. You can assume that the IP is malicious.
The dropped binary is named rare.exe, and has an MD5 e6f67b358009f66f1a4840c1eff19c2e of and a detection rate of 4/53. The Malwr report for this shows it phoning home to:
198.50.234.211 (OVH, Canada)
The payload is the Dridex banking trojan, and this behaviour is characteristic of Botnet 120.
Recommended blocklist:
198.50.234.211
5.189.216.101
No comments:
Post a Comment