Sponsored by..

Thursday 21 January 2016

Malware spam: "invoices@ebillinvoice.com" / "201552 ebill"

This fake financial email comes with a malicious attachment.

From     invoices@ebillinvoice.com
Date     Thu, 21 Jan 2016 15:13:36 +0530
Subject     201552 ebill

Customer No         : 8652
Email address       : [redacted]
Attached file name  : 8652_201552.DOC

Dear customer

Please find attached your invoice for 201552.

To manage your account online - please visit Velocity.

Alternatively please contact us on:

Yours sincerely

Louisa Brown

Ground Floor, Unit 2,
Galway Technology Park,
Parkmore, Galway, H91KFD3
Company Reg No : 233354

This email, its content and any files transmitted with
it are confidential and intended solely for the use of
the individual(s) to whom it is addressed.
If you are not the intended recipient, be advised that
you have received this email in error and that any use,
dissemination, forwarding, printing or copying of
this email is strictly prohibited.

There are at least three different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:


montaj-klimat.ru/8h75f56f/34qwj9kk.exe [spotted here]

This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54. Those reports indicate that it phones home to. (SoftCom America Inc., US)

A contact (thank you) also pointed out some other locations the malware phones home to (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil) (Advanced Internet Technologies Inc., US) (Gerrys Information Technology (pvt) Ltd, Pakistan)

The payload is the Dridex banking trojan, being sent by botnet 220.

Recommended blocklist:

No comments: