Sponsored by..

Friday 19 February 2016

Malware spam: "Rechnung Nr. 2016_131" / fueldner1A0@lfw-ludwigslust.de

This German language spam does not comes from LFW Ludwigsluster but is instead a simple forgery with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.

From:    fueldner1A0@lfw-ludwigslust.de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131

Sehr geehrte Damen und Herren,

bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:

LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG

Vielen Dank!

Mit freundlichen Grüßen

Anke Füldner


Tel.: 03874-422038
Fax: 03874-4220844


LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG, Bauernallee 9, 19288 Ludwigslust
HRA 1715, Amtsgericht Schwerin
Geschäftsführer: U.Müller, U.Warncke
USt.-IdNr. DE202820580, St.Nr. 08715803209
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressant sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten diese E-Mail und alle Anhänge und Ausdrucke unverzüglich.
Das Gebrauchen, Publizieren, Kopieren oder Ausdrucken sowie die unbefugte Weitergabe des Inhalts dieser E-Mail ist nicht erlaubt.
This e-mail and any attached files may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with zero detection rates at VirusTotal [1] [2]. Malwr analysis of one of the samples shows that a binary is downloaded from:


Other samples probably have different download locations. This executable has a detection rate of 7/53 and it appears to drop another executable with a relatively high detection rate of 26/55. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.

The malware phones home to: (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)

But in fact the entire range looks pretty bad and I recommend that you block it.

Incidentally, full credit to the company involved in putting this massive banner on their website warning people about the fake email..


An additional analysis from a trusted source (thank you). Download locations are:


The malware phones home to:

The active C2s (some may be sinkholes) appear to be: (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany) (vstoike.com / Fishnet Communications, Russia) (Agava Ltd, Russia) (Joes Datacenter, US)

Analysis those C2 locations give a recommended blocklist of:

No comments: