Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-26: #TrickBot email phishing campaign "Emailing: NNNNNNN.JPG"
- Samples: 1955
- Email sample:
- ------------------------------------------------------------------------------------------------------
- From: "Jewel" <Jewel@[REDACTED]>
- To: [REDACTED]
- Subject: Emailing: 1198718.JPG
- Date: Wed, 26 Jul 2017 12:17:53 +0300
- The message is ready to be sent with the following file or link attachments:
- 1198718.JPG
- Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
- Attachment: 1198718.JPG.zip -> PGB_ 14284364841_390184.wsf
- ------------------------------------------------------------------------------------------------------
- - sender is spoofed to looks like email is coming from same domain
- - subject is "Emailing: <7 digits>.JPG"
- - attached file "<7 digits>.JPG.zip" contains file "<3 upcase letters>_ <11 digits>_<6 digits>.wsf" which will donwload second stage downloader from:
- Stage2 donwload sites:
- http://ambrozy.cz/685764?
- http://mdalive.com/654?
- http://muellerhans.ch/5643?
- http://multisolution.org/234?
- http://panfood.ro/563?
- http://pw-shop.com/35w3?
- http://skispoj.7u.cz/7563?
- http://staubing.de/4353?
- Second stage downloader is a MSHTA file containing VBScript which will download encoded malware from:
- Malware download sites:
- http://1000i.co/jkhg67
- http://allmumsaid.com.au/jkhg67
- http://aromozames.ru/jkhg67
- http://atomorrow.org/jkhg67
- http://gotm.ru/jkhg67
- http://lordheals.com/jkhg67
- http://mangetsudo.net/jkhg67
- http://overseaseducationworld.com/jkhg67
- http://somersetautotints.co.uk/jkhg67
- http://taobba.com/jkhg67
- http://trominguatedrop.org/af/jkhg67
- Malware
- - encoded SHA256 217deddeff06f7548375c47b21786ee2eab8cc64a8d8028c0363478de12dae04, MD5 e82fe638aa6c6cd96cb7094195c22b6c
- - decode by XORing with "77JdBjX1f1zqehxdK62siY3T28L6GXEo"
- - decoded SHA256 a79e3958f06094318283db6437733bccd0962befcc5817ca2aaa48ae78404d58, MD5 3bc4484be3373920cac0d1199a1af75b
- - VT: https://www.virustotal.com/file/a79e3958f06094318283db6437733bccd0962befcc5817ca2aaa48ae78404d58/analysis/1501062942/
- - HA: https://www.reverse.it/sample/a79e3958f06094318283db6437733bccd0962befcc5817ca2aaa48ae78404d58?environmentId=100
- - encoded SHA256 98266b4640268d85f1c64907039e55d96b0ed2c889d315c1be45b4bb861db7f2 , MD5 9c457aff0ffc1ac6d3f2e5948ff72f0c
- - decode by XORing with "77JdBjX1f1zqehxdK62siY3T28L6GXEo"
- - decoded SHA256 2e3090322cc2a186b881f13b19b40eb15977e611c44bcddcba1ffb3cd7f36275, MD5 ab0093d24b8a61788bfa8c7ff73f0be8
- - VT: https://www.virustotal.com/file/2e3090322cc2a186b881f13b19b40eb15977e611c44bcddcba1ffb3cd7f36275/analysis/1501062968/
- - HA: https://www.reverse.it/sample/2e3090322cc2a186b881f13b19b40eb15977e611c44bcddcba1ffb3cd7f36275?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement