From: Idris Mohammed [idrismohammed25@gmail.com]Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4] [5] [6] shows the macro in these two documents downloading from:
Date: 9 March 2016 at 09:55
Subject: DOC-Z21193008
gpcarshop.com.br/system/logs/07yhnt7r64.exe
karnavalnye.com/system/logs/07yhnt7r64.exe
There are no doubt several other download locations. This binary has a detection rate of 3/56. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you block traffic to that IP. Payload is likely to be the Dridex banking trojan.
UPDATE
A contact sent some more download locations (thank you!)
oceanglass.com.my/system/logs/07yhnt7r64.exe
variant13.ru/system/logs/07yhnt7r64.exe
e-kalogritsas.gr/system/logs/07yhnt7r64.exe
notasvet.ru/system/logs/07yhnt7r64.exe
racingtrack.ru/system/logs/07yhnt7r64.exe
..and also some additional C2s..
188.40.224.78 (NoTag Community / Hetzner, Germany)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
64.76.19.251
188.40.224.78
87.106.8.177
91.236.4.234
2 comments:
also bad
zapdental.com.br 108.167.188.253
another
notasvet.ru 109.234.32.114
Post a Comment