Purchase order themed malspam email which has a .iso file attachment and a URL linking to an .iso file hosted at Dropbox. Iso file contains an embedded EXE (PO-3DAE9F0.exe) which calls out to 2.16.106.97 (Akamai). After initial assessment of threat it is believed to be Loki-bot, will update as needed.
Date/time:
May 7th 2018, 13:30:21.000
"sender" from:
zuber.desai@baesystems[.]com
Headers received:
from baesystems[.]com (unknown [66.85.157.66])
Header reply-to:
ikechukwunwagod@gmail[.]com
Subject line:
Quotation and enquiry
Message Body:
“Dear Sir, Hope you received my previous email regarding our new order. Attached is our Updated quotation and P.O. Please check and give us your best Price. Looking forward to your response soon. thank you ACCOUNTS sent from my IPHONE”
URL:
hxxps://www.dropbox[.]com/s/irzopkqkbaqz28e/Po%23998765[.]iso?dl=1
Callout:
2.16.106.97 (Akamai)
Attachment details:
size: 708608
sha1: 9fa2f03b615f5d3f0e59f7b9fbf31e20e66e0cfb
name: PO-3DAE9F0.iso
type: ISO 9660 CD-ROM filesystem data ‘PO-3DAE9F0’
mime: application/x-iso9660-image
crc32: E2B48926
ssdeep: 12288:8EafC+f5/1W6z44u/8T3yN+cfyO6nVVI2sdDwF+NKFIpY:/avPzii3yRfyLy2lFvmpY
sha256: 72db454a6b5b84be29883f1e4031586bcf151785cce67a2f580c380e0c3a2f60
sha512: 0f5044778f77a61f092c7c91ad264f68d80e43cd0b724b7cd049e5f171e858188bd1ebc1e0171b848d80cdfc63149610016f105f4f89100ab893407fb24c613c
md5: e56ef64d46256eb2479977d354b82bce
PO-3DAE9F0 iso:
https://www.virustotal.com/en/file/72db454a6b5b84be29883f1e4031586bcf151785cce67a2f580c380e0c3a2f60/analysis/1525716871/
PO-3DAE9F0 EXE:
https://www.virustotal.com/en/file/0576bdf243db2c05a83fb6a4b676f55066afec2e1a771a21ad921401e6a27c0b/analysis/
https://www.hybrid-analysis.com/sample/0576bdf243db2c05a83fb6a4b676f55066afec2e1a771a21ad921401e6a27c0b?environmentId=100
Censys.io for 66.85.157.66:
https://www.censys.io/ipv4/66.85.157.66
A google search for the reply-to returned one result for the domain Btcinvestors[.]org, the whois data is different at this time:
