From: DocuCentre-IV [DocuCentre1230@victimdomain.tld]
Date: 5 May 2016 at 10:27
Subject: Scan Data
Number of Images: 1
Attachment File Type: PDF
----=_Part_45251_4627454344.4826709420825--
Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1] [2] [3] [4] [5] [6]. Various automated analyses of these documents [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] show a binary being downloaded from the following locations:
fm1.ntlweb.org/87hcnrewe
iconigram.com/87hcnrewe
www.sammelarmband.de/87hcnrewe
hospice.psy.free.fr/87hcnrewe
This dropped file has a detection rate of 5/46. This Hybrid Analysis and this DeepViz report show subsequent network traffic to:
192.241.252.152 (Digital Ocean, US)
195.169.147.26 (Culturegrid.nl, Netherlands)
70.164.127.132 (Southland Technology, US)
The characteristics of the payload suggest this is the Dridex banking trojan.
Recommended blocklist:
192.241.252.152
195.169.147.26
70.164.127.132
No comments:
Post a Comment