Got a spam today at $dayjob. That's a feat in and of itself, given that
I'm blocking over 80% of IPv4 IP space at the server. But this one came
with something that I haven't seen in a while - a malware attachment (a
zipped .js file).
Here's a scan of that file:
https://www.virustotal.com/en/file/30a3bd32848adfa5f5b67f1a19705947adabcb4d1a1d
4f4f8e47575c81785895/analysis/1456855137/
Detected by 2 out of 56 programs. Pathetic.
Who got it right?
Cyren JS/Locky.D!Camelot
F-Secure Trojan-Downloader:JS/Dridex.W
Cyren?
As in "Cyren out loud" ? Never heard of them.
Wepawet is a piece of #### - it found nothing. Anubis (from the same
group) is still f*cked up (can't get any analysis results).
Malwr.com has got it right:
https://malwr.com/analysis/OTZhYTRhODVjY2E1NDlhMDg4MTgzOGEzYjUwNTM3NDc/
Here's where the payload is being obtained:
demo.rublemag.ru/system/logs/87yhb54cdfy.exe
demo.rublemag.ru = 178.63.61.195 (as I write this)
Here's who owns that IP:
address: Hetzner Online GmbH
address: Industriestrasse 25
address: D-91710 Gunzenhausen
address: Germany
phone: +49 9831 505-0
fax-no: +49 9831 505-3
abuse-mailbox: abuse@hetzner.de
These other IP's are somehow also involved (maybe backup?):
31.184.197.119
188.138.88.184
5.34.183.195
185.14.29.188
Here's the VT scan of the above-mentioned .exe file:
https://www.virustotal.com/en/file/8c781b10d0cc5f4734df9aca584ab996570560bff0cb
7c9c5c152eddda35197c/analysis/1456879415/
Detection rate 5 / 56 (again - pathetic given this thing has been
circulating for over 6 hours).
Kaspersky UDS:DangerousObject.Multi.Generic
McAfee-GW BehavesLike.Win32.PWSZbot.fm
Qihoo-360 HEUR/QVM20.1.Malware.Gen
Rising PE:Malware.Generic/QRS!1.9E2D [F]
Symantec Suspicious.Cloud.2
This is ransom-ware, btw. Something I'm sure won't run properly on my
win-98 system...
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|