From: Color @ MRH Solicitors [color58@yahoo.co.uk]The attached file is named ScannedDocs122151.xls which comes in at least five different versions (VirusTotal results [1] [2] [3] [4] [5]). The Malwr reports for these documents [6] [7] [8] [9] [10] show the malicious macro contained within downloading a malware executable from:
Date: 13 January 2016 at 07:53
Subject: Scanned Document
Find the attachment for the scanned Document
armandosofsalem.com/l9k7hg4/b4387kfd.exe
trinity.ad-ventures.es/l9k7hg4/b4387kfd.exe
188.226.152.172/l9k7hg4/b4387kfd.exe
This dropped binary has a detection rate of 4/55. It is unclear what this does as in the Malwr report it throws an error. The payload is almost definitely the Dridex banking trojan, and even if this version is faulty then it is likely that the malware will be fixed shortly.
Dropped file MD5:
a8a42968a9bb21bd030416c32cd34635
Attachment MD5s:
bc207bf8ad4c2dae92af9d333ca21346
829036f46897feed35381741d5b3872e
0fcc9eb9af29b5525b30d53755a413d9
e61abe8ad3d7f8b6bcf010ea6b51c0e3
29fe81a081127fa55fbab0ae1accaf05
UPDATE
The Hybrid Analysis of the dropped binary shows attempted network traffic to the following domains:
exotelyxal.com
akexadyzyt.com
ekozylazal.com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)
No comments:
Post a Comment