From invoices@ebillinvoice.com
Date Thu, 21 Jan 2016 15:13:36 +0530
Subject 201552 ebill
Customer No : 8652
Email address : [redacted]
Attached file name : 8652_201552.DOC
Dear customer
Please find attached your invoice for 201552.
To manage your account online - please visit Velocity.
https://www.velocitycardmanagement.com
Alternatively please contact us on:
invoices@ebillinvoice.com
Yours sincerely
Louisa Brown
DCI
Ground Floor, Unit 2,
Galway Technology Park,
Parkmore, Galway, H91KFD3
Company Reg No : 233354
======================================================
This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.
======================================================
There are at least three different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop.com/8h75f56f/34qwj9kk.exe
bolmgren.com/8h75f56f/34qwj9kk.exe
return-gaming.de/8h75f56f/34qwj9kk.exe
montaj-klimat.ru/8h75f56f/34qwj9kk.exe [spotted here]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173
No comments:
Post a Comment