From: Laurence Cottle [lcottle60@gmail.com]
Date: 18 February 2016 at 13:35
Subject: Payment
Hi
Any chance of getting this invoice paid, please?
Many thanks
Laurence
Attached is a file unnamed document.docm which comes in several different versions.
Third-party analysis (thank you!) reveals that there are download locations at:
acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43.exe
alkofuror.com/system/engine/7647gd7b43f43.exe
merichome.com/system/logs/7647gd7b43f43.exe
organichorsesupplements.co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo.com/image/templates/7647gd7b43f43.exe
tutikutyu.hu/system/logs/7647gd7b43f43.exe
vipkalyan.com.ua/system/logs/7647gd7b43f43.exe
This dropped a malicious binary with a detection rate of 3/55, since updated to one with a detection rate of 4/55.
MD5s:
a40d4d655cd638e7d52f7a6cdedc5a8e
9f622033cfe7234645c3c2d922ed5279
The malware phones home to:
195.154.241.208/main.php
46.4.239.76/main.php
94.242.57.45/main.php
kqlxtqptsmys.in/main.php
cgavqeodnop.it/main.php
pvwinlrmwvccuo.eu/main.php
dltvwp.it/main.php
uxvvm.us/main.php
wblejsfob.pw/main.php
Out of those, the most supect IPs are:
195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)
Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70
4 comments:
I just discovered this e-mail in my Mailwasher display. Thank you for confirming that this is malware.
Thank you! I just got this as well and since I sometimes pay invoices....
What do I do if I opened the attachment on my iphone? Thanks for any help you can give.
Thanks for this notification, I am deleting the email from my inbox right now!
Post a Comment