[mailop] (more) Malware hosted @ Mailchimp

Fri, 07 Apr 2017 04:10:43 -0700 

Similar to the previous one. Still live.

HTML link in email body to hxxps://gallery.mailchimp[.]
com/ccf92d32abc1af93aa16af680/files/097dcd19-24d9-4298-bb76-
0779b4b2bb35/SR_PO_07042017.zip

Zipfile "SR_PO_07042017.zip" (MD5: c4a118fdac98c9b6f3886a755033ac52)
        VT 3/59 https://virustotal.com/en/file/
92aa249b1721e721e47d9fca3da7ce1547c18c18bad3b7e73bfa66afe7a3e369/analysis/

Contains PE32 executable "SR-PO-07042017.exe" (MD5:
8214e7b73f9eee15e1732fda35a7e1fc)
        VT 7/62 https://virustotal.com/en/file/
73bb429b7132018d2f30acc494671e8046e1c2187dd7748903053bdbdb2c34e5/analysis/
        Hybrid  https://www.hybrid-analysis.com/sample/
73bb429b7132018d2f30acc494671e8046e1c2187dd7748903053bdbdb2c34e5
Triggered Sandbox signatures for Nanocore
Network traffic to sroombobo.ddns[.]net:5050 (Not resolving)
Network traffic to troomc.ddns[.]net:5050 (213.183.58.10 / AnMaXX RU)
Network traffic to sroom0.ddns[.]net (154.16.220.26 / AnMaXX RU)

Malspam also beacons to wwl1733.daum[.]net:4280 (117.52.3.173, ibi.net /
KIDC KR) with sender, recipient, & Message-ID.


Relevant Headers:
        Received: from mail-smail-216.hanmail.net (HELO
mail-smail-216.hanmail.net) (211.43.197.73) with DHE-RSA-AES256-SHA
encrypted SMTP; 7 Apr 2017 08:46:44 -0000
        Received: from mail-hmail-was9.s2.krane.9rum.cc ([10.197.10.51]) by
mail-smail-216.hanmail.net (8.13.8/8.9.1) with SMTP id v378kRek025992; Fri,
7 Apr 2017 17:46:27 +0900
        Date: Fri, 7 Apr 2017 17:46:17 +0900 (KST)
        From: FSA || Procurement Office <jibankor @ hanmail.net>
        To: rajeshkelly1156 <rajeshkelly1156 @ yahoo.com>
        Subject: PO RT01 07/04/17

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to