2017-06-05 Dridex "Invoice"

1. 2017-06-05: #dridex email phishing campaign "Invoice"
2.  
3. Download sites:
4. http://almahaconsultants.com/8yfh4gfff
5. http://cartus-imprimanta.ro/8yfh4gfff
6. http://clicburkina.com/8yfh4gfff
7. http://cqyssj.com/8yfh4gfff
8. http://luczko.pl/8yfh4gfff
9. http://mainlinecarriers.co.tz/8yfh4gfff
10. http://newserniggrofg.net/af/8yfh4gfff
11. http://quitecross.com/8yfh4gfff
12. http://resevesssetornument.com/af/8yfh4gfff
13. http://salonpalmareal.com/8yfh4gfff
14. http://servisanchez.com/8yfh4gfff
15. http://sethiwriting.com/8yfh4gfff
16. http://sonder-bar.net/8yfh4gfff
17. http://spaceonline.in/8yfh4gfff
18. http://studyineurope.in/8yfh4gfff
19. http://weddingphotolook.es/8yfh4gfff
20. http://xtramax.de/8yfh4gfff
21. http://ymcaonline.net/8yfh4gfff
22.  
23. Malware:
24. - encoded on download SHA256 539ca5726521381bd388dd893f618636449a5900cf43db6fdcdf9f817efd8257, MD5 8f527b08eb39578d18a3690980baf2c0
25. - decode by XORing the file with "bG5NeavlddlywpNO3tr8NsVNH0CBpcGi"
26. - decoded SHA256 c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97, MD5 1a18e844222a43381839d2fa95493ee3
27. - VT https://www.virustotal.com/file/c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97/analysis/1496659761/
28. - HA https://www.reverse.it/sample/c7dc1e2d1dbda6e287675160f1e96f6514b8a6f10017a1e4b76c7591c3785e97?environmentId=100