This fake banking email leads to malware. we energies From : invoice@bankline.ulsterbank.ie [invoice@bankline.ulsterbank.ie] Date : 2 April 2015 at 11:46 Subject : Outstanding invoice Dear [victim],
Please find the attached copy invoice we energies which is showing as unpaid on our ledger. To download your invoice please click here I would be grateful if you could look into this matter and advise on an expected payment date . Courtney Mason Credit Control Tel: 0845 300 2952 The link in the email leads to a download location at hightail.com (the sample I saw downloaded from https://www.hightail.com/download/e?phi_action=app/directDownload&fl=SWhZekZucVhVbTlFQlFJWjA4bnVnVE9yZWt5UmdteDRsUjJuWENHRzVZbz0 ) which is a file called Doc_0062119-LQ.zip which in turn contains the malicious executable Doc_0062119-LQ.scr . The executable has a VirusTotal detection rate of 3/57 and has characteristics that identify it as Upatre. Automated analysis tools [1] [2] [3] [4] [5] show that it downloads additional components from: eduardohaiek.com/images/wicon1.png edrzambrano.com.ve/images/wicon1.png It also POSTs data to 141.105.141.87 (Makiyivka Online Technologies Ltd, Ukraine) in a characteristic Upatre manner: http://141.105.141.87:13840/0204uk11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK According to the Malwr report , the downloader drops a file gkkjxyz22.exe which has a detection rate of 2/57 . This is probably the Dyre banking trojan. Recommended blocklist: we energies 141.105.140.0/22 eduardohaiek.com edrzambrano.com MD5s: 4c666564c1db6312b9f05b940c46fa9a 876900768e06c3df75714d471c192cc6
Atom
pdatamc.org / publicdmc.cn domain scam
▼ 2015 (137) ▼ April (24) Malware spam: "Decisive notification about your Au... pdatamc.org / publicdmc.cn domain scam businessexecutives01.com / theexecutivesbrand.com ... Malware spam: "Invoice from Living Water" / "Natal... Digital Networks CJSC aka DINETHOSTING and 79.137.... Malware spam: "Kairen we energies Varker [mailto:kvarker@notif... we energies Namailu.com spam Malware spam: "Matthews, Tina [tina@royalcarson.co... Malware spam: "Invoice from COMPANY NAME" / 31.24.... Malware spam: "TWO UNPAID INVOICES" / "Wayne Moore... Malware spam: "COMPANY NAME has issued the claim a... Malware spam: "Order Confirmation Order BNTO056063... Malware spam: "EBOLA INFORMATION" / "noreply@ggc-o... Malware spam: "Copy invoices Snap on Tools Ltd" / ... Malware spam: "Scanned document from HP/Brother/Ep... Malware spam: "Sage Invoice [invoice@sage.com]" we energies / ... Malware spam: "invoice@bankline.ulsterbank.ie" / "... Malware spam: "Your Remittance Advice COMPANY NAME... Malware spam "Unpaid Invoice [09876] attached" / "... Malware spam: "Batchuser BATCHUSER [ecommsupport@c... Malware spam: "Australia Post" / "Track Advice Not... Malware spam: "Australian Taxation Office - Refund... "You've received a Telex" spam UK government to regulate online smut, launches PO... ► March (34) ► February (39) ► January (40) ► 2014 (389) ► December (25) ► November (26) ► October (35) ► September (46) ► we energies August (31) ► July (38) ► June (28) ► May (27) ► April (24) ► March (32) ► February (42) ► January (35) ► 2013 (565) ► December (24) ► November (29) ► October (37) ► September (46) ► August (44) ► July (62) ► June (42) ► May (39) ► April (67) ► March (67) ► February (60) ► January (48) ► 2012 (492) ► December (48) ► November (43) ► October (62) ► September (34) ► August (39) ► July (27) ► June (33) ► May (25) ► April (55) ► March (57) ► February (42) ► January (27) ► 2011 (194) ► December (49) ► November (18) ► October (23) ► September (22) ► August (10) ► July (22) ► June (18) ► May (11) ► April (11) ► March (7) ► February (3) ► 2010 (151) ► December (5) ► November (7) ► October (18) ► September (13) ► August (15) ► July (32) ► we energies June (9) ► we energies May (11) ► April (13) ► March (2) ► February (12) ► we energies January (14) ► 2009 (132) ► December (5) ► November (13) ► October (1
No comments:
Post a Comment