API tools faq
paste
Advertisement
Racco42

2017-07-26 GlobeImposter "NN_Order_NNNN"

Racco42
Jul 26th, 2017
1,963
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.74 KB | None | 0 0
raw download clone embed print report
  1. 2017-07-26: #GlobeImposter email phishing campaign "NN_Document|File|Invoice|Receipt|Scan_NNNN"
  2. Samples: 373
  3.  
  4. Email sample:
  5. ----------------------------------------------------------------------------------------------------------------
  6. From: DEMETRIUS WESTBROOK <demetriuswestbrook@incogniterra.org>
  7. To: [REDACTED]
  8. Subject: 93_Scan_1324
  9. Date: Wed, 26 Jul 2017 19:06:17 +0200
  10.  
  11. 001_0444
  12.  
  13. Attachment: 001_0444.zip -> 0001_1935.zip -> 001_1935.docm
  14. ----------------------------------------------------------------------------------------------------------------
  15. - sender is random
  16. - subject is "<2 digits>_<DOC|Document|File|Invoice|Receipt|Scan>_<4 digits>
  17. - attached file "001_<4 digits>.zip" contains another zip which contains file "001_<4 digits>.docm", a MS Word document containing macro which will download encoded malware
  18.  
  19. Attachments:
  20. 5514117aaba438d5a3bf917a911ed4884897a6ec6b1ad1acc1e574144ada92bb 001_1787.docm
  21. b66e60f8b7b500ccd6009c10dcd6b6d94855165967c31c37bdb8c1b382a8d952 001_1935.docm
  22. b3d05c625527e2dfea7646bca9de7bc49068855a2304a2eb6b6f6d2f94493df6 001_3213.docm
  23. 0c16635b3fbd6d0bd41d90227aacbdb509bac6ba19883da472def3ad8b883f4f 001_3376.docm
  24. 16fbf067889c15ee9c81c591a2b67e791ba3d68e0d8e4f510f87a0bd0b760545 001_3641.docm
  25. eb8170b4f845a72ecf796749d4c3e1ace39451a8999166fcf7fcb17e8fe467d0 001_4227.docm
  26. 9853622a0989a181c03fe1d433b7510cc5d5fe7e46b2972fe6b99e7537f361da 001_4948.docm
  27. a904a1f15941db292dce920908f07c5c2318fe43c56fa85aa23ce75d17b74026 001_5079.docm
  28. a128ba744b4ccfc7e8c86cee8dba13894145268ec2fa540a69f9396a5e448c39 001_5332.docm
  29. 0ff2d98cdc9d1cdabf419b8d25c11711187a46137a3dcfb4200a66cdcd16cb9a 001_5376.docm
  30. e276ef0f99df76fc4924120e88f407e633f31c83edee0dfc62bac3b5f9ab4b1b 001_6350.docm
  31. 9847116a18d773f3448629068a2bb50bac5ebb03bd4ef481ef7008e05823789d 001_6458.docm
  32. 37d4e2478be67dad599359c3c1649f5ca03010f753b3f19077e9e841520dd149 001_6919.docm
  33. 396e75051ed5a7b2fe55eed9dc310b6c210259148d0dbef68ddd029586932df1 001_7719.docm
  34. 43ce2e21db13e155c791f4c55aeafd193a9b6f7617f10db6d1a40929d3f680bb 001_7737.docm
  35. a987500a5179cc0c05d2ab81d73d44d689f8410b9f77f84dff5060c6f2cd957e 001_8380.docm
  36. e98a99fb75e6869cdb9c4f4145bb705241cba65e71e70cbcdcd66a2048ea15d9 001_9060.docm
  37. 3b85d875a6ea47f9add681bb3b8fac098ff7a875709ae3f9cd8c54d60c5a775c 001_9174.docm
  38. 90c5c5e4fcf8b0a376c8836686fd704ef18cfb960c045b217f08185be6ec3429 001_9543.docm
  39. bb2cb0d5a8c0c7f49b4feb675f58a8394f2a24602a7009643d4200959b51dc2d 001_9584.docm
  40. 83ad03f06d2046ec6467c5f4985667ece6440dce62d009ee7c48e045e6268d3e 001_9806.docm
  41.  
  42. Download sites:
  43. http://aarontax.com/hjbgtg67
  44. http://ayurvoyage.com/hjbgtg67
  45. http://dabar.name/hjbgtg67
  46. http://dessde.com/hjbgtg67
  47. http://e-snhv.com/hjbgtg67
  48. http://fondazioneprogenies.com/hjbgtg67
  49. http://gbaudiovisual.co.uk/hjbgtg67
  50. http://inormann.it/hjbgtg67
  51. http://motelesapp.com/hjbgtg67
  52. http://newlifetabernacle.org.uk/hjbgtg67
  53. http://pearlgonzalez.com/hjbgtg67
  54. http://swangroup.net/hjbgtg67
  55. http://tayangfood.com/hjbgtg67
  56. http://thegardiners.ca/hjbgtg67
  57. http://trominguatedrop.org/af/hjbgtg67
  58. http://urban-dna.pt/hjbgtg67
  59. http://vendemasonline.com/hjbgtg67
  60. http://wankelstefan.de/hjbgtg67
  61. http://westsussexcentre.org.uk/hjbgtg67
  62. http://ymcaonline.net/hjbgtg67
  63.  
  64. Malware:
  65. - encode on download, SHA256 33b775f740a94ad524c7079ef70c47d188a5b89dd92dc54f013247ed722104e9, MD5 d2056a71e2f06a775154a48c3123b6c9
  66. - decode by XORing with "9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb"
  67. - decoded SHA256 a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e, MD5 7fd856f90b2ed4611d71fa530f1fc757
  68. - VT: https://www.virustotal.com/en/file/a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e/analysis/1501096328/
  69. - HA: https://www.hybrid-analysis.com/sample/a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!