From: Basia Slater [provequipmex@provequip.com.mx]This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55, containing this malicious macro [pastebin]. The Malwr report for this version indicates a download from:
Date: 26 November 2015 at 12:00
Subject: GVH Payment
I hope you had a good weekend.
Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.
Basia Slater
Accountant
Comerica Incorporated
harbourviewnl.ca/jo.jpg?6625
According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53. The Hybrid Analysis report and Malwr report for that indicates malicious traffic to:
94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
199.175.55.116 (VPS Cheap INC, US)
Note that 94.73.155.12 is mentioned in this other Dridex report today, both IPs form part of a small subnet of 94.73.155.8/29 suballocated to one "Geray Timur Akkurt".
My contacts (you know who you are, thank you) indicate that the emails are generated according to the following pattern:
> From: (random)They indicate an additional download location of:
> Subject: ABC Transaction
- raw Subject: =?UTF-8?Q?ABC__Transaction?=
- matching /[A-Z]{1,3} (Invoice|Payment|Transaction|Transfer)/
> X-mailer: Thunderbird 9.23
- matching /[1-9]\.[1-9]{2}/
Attachment: "Z98Y76.doc"
- matching /[A-Z0-9]{4,14}\.doc/
gofishretail.com/jo.jpg?[4-digit-random-number]
with an additional C2 location of:
113.30.152.170 (Net4india , India)
Recommended blocklist:
94.73.155.8/29
199.175.55.116
113.30.152.170