From: Dora BainIn the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..
Date: 7 June 2016 at 03:37
Subject: Good morning
What's Up?
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.
With gratitude,
--
Dora Bain
This downloads a file from 80.82.64.198/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.
The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.
According to the VT report the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block.
That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.
Recommended blocklist:
80.82.64.0/24
85.93.0.0/24
3 comments:
We know a great deal about Quasi networks - it's a rebrand of a Dutch hosting company called Ecatel, and they are nothing but trouble.
People generally send resumes without a cover letter. This article discusses the importance of having a cover letter with the job application.so, please visit our site high school senior resume.I hope you will take benefit from this site.
Quasi is dutch, not russian)
Post a Comment