From: Orders - TSSC [Orders@thesafetysupplycompany.co.uk]So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55. Analysis of this document is pending, however it is likely to be the Dridex banking trojan.
Date: 15 January 2016 at 09:06
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team
UPDATE 1
This Hybrid Analysis on the first sample shows it downloading from:
149.156.208.41/~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54] which has similar characteristics.
Dropped file MD5:
9138e36d70ab94349558c61e92ab9ae2
Attachment MD5s:
d5a25f10cb91e0afd00f970cee7c5f01
985bb69a8c292d90a5bd51b3dbec76ac
UPDATE 2
This related spam run gives some additional download locations:
nasha-pasika.lviv.ua/786585d/08g7g6r56r.exe
arm.tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166/~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41
2 comments:
http://pastebin.com/Rqh7Y1j0
The above config was posted at 0350CDT. I Believe this may have been before the SPAM runs started but cannot be sure.
Post a Comment