From: Cedrick Burch
Date: 2 March 2016 at 10:31
Subject: Payment Confirmation
Dear User,
The attached document is a transaction payment confirmation from USMarketing Ltd.
Thank you for your business - we appreciate it very much.
Sincerely,
Cedrick Burch
Project Manager
=============
From: Alfredo Bauer
Date: 2 March 2016 at 10:24
Subject: Invoice
Dear User,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Alfredo Bauer
Project Manager
I received only two samples (VT [1] [2]) of which only one worked in Malwr (this is the other). However, third-party analysis (thank you) shows download locations at:
cabanasestina.ro/num/5buybbtyu8
camberfam.de/num/5f6vtvrtv
ecofriend.co.jp/num/0ujinybvt
e-monalisa.ro/num/7yh5c44duyy
sumiden-e.co.jp/num/87hn8bv6r
leksvik.historielag.org/num/887hb56f
www.countrysaloonriki.sk/num/9987tg6v54
Each location has a different binary (VT [1] [2] [3] [4] [5] [6]) which between them phone home to the following IPs:
95.213.184.10 (Selectel, Russia)
192.71.213.69 (EDIS, Spain)
217.172.182.99 (PlusServer, Germany)
The payload is Locky ransomware.
Recommended blocklist:
95.213.184.10
192.71.213.69
217.172.182.99
1 comment:
Locky indeed.
Unpacked binary: https://www.virustotal.com/en/file/259eceb5621d980297ea5b59b63c8bd0787e94d66cc9d78bc51d63824c26fc73/analysis/1456922081/
Post a Comment