From "The Billing Team" [noreply@callbilling.co.uk]I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53. The Malwr report for that document shows a download location of:
Date Thu, 21 Jan 2016 11:44:19 +0100
Subject Your Telephone Bill Invoices & Reports
Please see the attached Telephone Bill & Reports.
Please use the contact information found on the invoice if you wish to contact your
service provider.
This message was sent automatically.
**********************************************************************************
If you have received this e-mail in error, please delete the message from your computer.
This e-mail and any attachments may contain information which is private and confidential
and should only be read by those persons to whom it is addressed. Your Call Billing
Provider accepts no liability for loss or damage suffered by any person arising from
the use of this e-mail.
The unauthorised use, disclosure or copying of this e-mail or any information contained
within, is strictly prohibited. Any views expressed in this e-mail are those of the
individual sender, except where the message states otherwise.
We take reasonable precautions to ensure our e-mails are virus free. We recommend
that you subject any incoming e-mail to your own virus checking procedure.
Please see the full terms and conditions on your call billing providers web site.
These are subject to change and we recommend that you review them periodically.
bolmgren.com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run, and the payload is the Dridex banking trojan.
1 comment:
Payload locations - same as previous bot runs
hxxp://bolmgren.com/8h75f56f/34qwj9kk.exe
hxxp://return-gaming.de/8h75f56f/34qwj9kk.exe
hxxp://phaleshop.com/8h75f56f/34qwj9kk.exe
Post a Comment