From: Velma hodson
Date: 29 February 2016 at 16:49
Subject: Invoice #16051052/15
Dear costumer,
You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.
In attachment you will find a reconciliation of the past 12 months (year 2015).
Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.
I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js that looks like this [pastebin]. The script has a VirusTotal detection rate of 2/55 and these automated analysis tools [1] [2] show that it attempts to download a binary from the following locations:
ohiyoungbuyff.com/69.exe?1
helloyungmenqq.com/69.exe?1
The domain names have a similar theme, indicating that the servers are malicious. It migh be worth blocking:
91.196.50.241 (EuroNet, Poland)
50.3.16.250 (Eonix, US)
This Malwr report shows that the dropped payload is ransomware, calling home to the following domains:
biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu
I recommend that you block traffic to those domains plus the two IPs, giving a recommended blocklist of:
91.196.50.241
50.3.16.250
biocarbon.com.ec
imagescroll.com
music.mbsaeger.com
stacon.eu
No comments:
Post a Comment