The sample looks like Carberp with ransomware option added .
Contacts domains :
“www.billerimpex.com”
“www.macartegrise.eu”
“www.poketeg.com”
“priceclub.su”
“perovaphoto.ru”
“vision2010usa.com”
“asl-company.ru”
“www.fabbfoundation.gm”
“www.perfectfunnelblueprint.com”
“www.wash-wear.com”
“pp-panda74.ru”
Contacts ips :
“216.58.215.46:80”
“91.210.104.247:80”
“148.251.131.183:80”
“52.29.192.136:80”
“178.33.233.202:80”
“185.174.175.30:80”
“87.236.19.51:80”
“50.63.197.11:80”
“87.236.16.31:80”
“104.27.184.39:80”
“146.66.72.87:80”
“69.73.180.151:80”
“87.236.16.29:80”
“173.247.242.133:80”
“188.165.53.185:80”
“107.178.113.162:80”
“188.64.184.90:80”
“188.64.184.90:443”
“213.186.33.3:80”
“213.186.33.3:443”
Sample here : hxxp://91.210.104.247/putty.exe
The sample porn.jpg downloads these url’s :
http://megaupper.com/files/WGDJVYRH/porn.jpg
hxxp://91.210.104.247/emotet.txt
hxxp://91.210.104.247/debug.txt
hxxp://91.210.104.247/putty.exe
hxxp://91.210.104.247/zerophage_fuck_yourself.exe