From: FX Service [emailsend@w.e191.victimdomain.tld]Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:
Date: 21 March 2016 at 14:32
Subject: Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)
http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56. This Malwr report of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report show network traffic to the following IPs:
195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)
If I receive more information I will post it here.
Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90