From JOHN RUSSELL [John.Russell@yesss.co.uk]There are at least five different versions of the attachment 033777 [Ref. MARKETHILL CHURCH].doc (VirusTotal results [1] [2] [3] [4] [5]). Analysis of these documents is pending, however it is likely to be the Dridex banking trojan.
Date Wed, 13 Jan 2016 20:11:43 +0600
Subject Order 0046/033777 [Ref. MARKETHILL CHURCH]
John Russell
Branch Manager
Yesss Electrical
44 Hilsborough Old Road
Lisburn
BT27 5EW
T: 02892 606 758
M: 07854362314
F: 02892 606 759
E: John.Russell@yesss.co.uk
[EW Award winner 2015]
[Electrical Times Award winner 2014]
[EW Award winner 2014]
[YESSS gains all three BSI industry standards]
[Order a YESSS Book NOW!]
[Our YESSS motto]
[Visit the YESSS website] [Visit the YESSS Facebook
page] [Visit the YESSS Twitter page]
[Visit the YESSS Youtube page]
[Visit the YESSS Linkedin page]
[Visit the YESSS Pinterest page]
UPDATE
These Malwr reports [1] [2] [3] [4] [5] indicate the macro in the document downloads from one of the following locations:
amyzingbooks.com/l9k7hg4/b4387kfd.exe
webdesignoshawa.ca/l9k7hg4/b4387kfd.exe
powerstarthosting.com/l9k7hg4/b4387kfd.exe
This binary has a detection rate of 4/53. The Hybrid Analysis shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you block traffic to that IP.
No comments:
Post a Comment