“Important information” virus email

More of these today, similar to yesterday, to multiple addresses – quite often ones stolen or leaked from LogMeIn and one to an address I had used with a car hire company in the UK.

Subjects:

  • Important information
  • Need your attention,”Important notice
  • Financial information

Content:

Good morning

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Susie Randall
Seniour Finance Assistant

Good Afternoon,

We have received a payment from you for the sum of £ 720. Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1835 less the £3254.00 received making a total outstanding of £ 1115. We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014. We are keen to close all the old accounts down, for both tax and year end reasons. We would be very grateful in your assistance in settling the outstanding.

If you need any copy invoices please do not hesitate to contact us

Regards,

Bernadette Dickson

Good Afternoon,

Please see attached the copy of the remittance.

Please can you send a revised statement so we can settle any outstanding balances.

Kind Regards,

Bette Andrews

All contained a word attachment of various formats.

The word documents contain a passworded macro.

The all the documents I tested accessed http://pastebin.com/download.php?i=wSSLkQeL which appears to be partial macro content. Strange given the documents appear to have slightly different content.

Which then downloaded a file from http://91.226.93.110/bt/get1.php which served me “crypted.120.exe”
SHA256: 38c78da07166ef834cbd3299213e8b4a8f19cee8a3e6b55c0aea669544227f6d / Malwr Report

Two requests were also made to http://savepic.net/6835801.gif and http://savepic.net/6832729.gif

wscript was run and finally 1233211.exe was started (the above crypted file renamed) and accessed https://46.36.217.227:3443/ which presents an SSL certificate created less than 12 hours ago (‎12 ‎May ‎2015 13:50:30).
SSL Thumb: d7 91 8e e6 ee f0 1a 3c 71 36 de 17 5b 4f 62 eb 45 3b 09 ed
Serial Number: 00 e5 cb 9a fa 8f 04 ab 27

Shortly after another request was made to https://159.253.20.116:4443/ which downloaded and then ran a file which then quit (probably detected my virtual machine). Another recent SSL certificate is used on that domain (‎12 ‎May ‎2015 13:51:41).
SSL Thumb:00 d8 28 ee 3e 3f 36 4d c4
Serial Number: ‎e6 6f f7 2a 2d 48 3b 79 92 b0 7d 68 5a b5 d3 87 29 f1 4e 31

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s