Jump to content

misterblister

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Sorry, one thing I got wrong was this user is on Windows 7 64-bit, not Windows 8.1.
  2. I'm pretty confident that is the file. It was the only email the user got that had an attachment and the date time of the email is very close to the creation date/time of the downloaded EXE that was cleaned. I even opened it on their infected PC with the Internet unplugged and it definitely attempted to do something after enabling editing/macros but obviously could not get/run its payload. I can verify this tomorrow but is it possible the payload is disabled? Is it possible there was some other mechanism in the file, perhaps linking/loading something externally from within the DOC? Keep in mind the user opened this with Word 2013, which was set to trust and run all macros, so once they clicked "enable editing" (which Word 2013 requires on attachments opened from Outlook 2013, it was enabled to do everything it wanted to.
  3. Interesting. I am tempted to setup a sandbox and test the latest MBE using this malware, before MBA updates their engine. I am very curious to know whether it would have been stopped, keeping in mind this malware may also have been coded to disable MBAE.
  4. Here's the last analysis I did today: https://www.virustotal.com/en/file/28e630bda1c3c0d5b925b5cdac070df4bf5c09d4884888378d1f32490b0172f3/analysis/
  5. Last week one of our users opened a DOC attached to a phishing email, then enabled editing (and macros), and the DOC executed malicious code that disabled AVG's update engine (and notifications, apparently), then downloaded a varation of the Dyware malware which steals banking credentials, etc, which went undetected for three days. I am wondering whether MalwareBytes for business would have stopped this? For one thing, the DOC attachment which is now seven days old is still only detected by 3/57 A/V programs according to VirusTotal. So I doubt MB would have detected it at the time but I am wondering how it might have handled the execution of the code? In hindsight I am thinking the most useful thing for me in this scenario to catch this sooner would be some sort of network traffic analyzer which would have detected all the strange traffic to Easter European IP addresses that were exchanged with this user's computer. But from what I understand the solutions that do that are five-figures and we are just a small business. Your insights appreciated. MB is not often mentioned in the small business arena when people talk about hardening their A/V but I have an open mind. Thanks.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.