From warehouse | Harrison [warehouse@harrisonproducts.net]I have seen only one sample of this with an attachment named Order ref. 16173.xls which has a VirusTotal detection rate of 6/55. This Malwr report plus this Hybrid Analysis for that sample shows a binary being downloaded from:
Date Fri, 26 Feb 2016 18:07:04 +0500
Subject Your Order has been despatched from Harrison
Dear Customer
Thank you for your valued Order, your Despatch Confirmation is attached
If there are any queries relating to this delivery please contact our Customer Service
Team on 01451 830083 or email sales@harrisonproducts.net
Kind Regards
The Harrison Products Team
Harrison Products Co. Sterling House, Moreton Road, Longborough, Glos. GL56 0QJ
thetoyshop.by/system/logs/76tg654viun76b
There are probably other download locations too. This dropped file has a detection rate of 3/52. Those two reports indicate that this is the Dridex banking trojan. It phones home to:
203.162.141.13 (VietNam Data Communication Company, Vietnam)
I strongly recommend that you block traffic to that IP.
1 comment:
I've spotted a similar mail with an attachment with the same name. The system that this mail was received on did not allow any further analysis.
Post a Comment