Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-26: #GlobeImposter email phishing campaign "NN_Document|File|Invoice|Receipt|Scan_NNNN"
- Samples: 373
- Email sample:
- ----------------------------------------------------------------------------------------------------------------
- From: DEMETRIUS WESTBROOK <demetriuswestbrook@incogniterra.org>
- To: [REDACTED]
- Subject: 93_Scan_1324
- Date: Wed, 26 Jul 2017 19:06:17 +0200
- 001_0444
- Attachment: 001_0444.zip -> 0001_1935.zip -> 001_1935.docm
- ----------------------------------------------------------------------------------------------------------------
- - sender is random
- - subject is "<2 digits>_<DOC|Document|File|Invoice|Receipt|Scan>_<4 digits>
- - attached file "001_<4 digits>.zip" contains another zip which contains file "001_<4 digits>.docm", a MS Word document containing macro which will download encoded malware
- Attachments:
- 5514117aaba438d5a3bf917a911ed4884897a6ec6b1ad1acc1e574144ada92bb 001_1787.docm
- b66e60f8b7b500ccd6009c10dcd6b6d94855165967c31c37bdb8c1b382a8d952 001_1935.docm
- b3d05c625527e2dfea7646bca9de7bc49068855a2304a2eb6b6f6d2f94493df6 001_3213.docm
- 0c16635b3fbd6d0bd41d90227aacbdb509bac6ba19883da472def3ad8b883f4f 001_3376.docm
- 16fbf067889c15ee9c81c591a2b67e791ba3d68e0d8e4f510f87a0bd0b760545 001_3641.docm
- eb8170b4f845a72ecf796749d4c3e1ace39451a8999166fcf7fcb17e8fe467d0 001_4227.docm
- 9853622a0989a181c03fe1d433b7510cc5d5fe7e46b2972fe6b99e7537f361da 001_4948.docm
- a904a1f15941db292dce920908f07c5c2318fe43c56fa85aa23ce75d17b74026 001_5079.docm
- a128ba744b4ccfc7e8c86cee8dba13894145268ec2fa540a69f9396a5e448c39 001_5332.docm
- 0ff2d98cdc9d1cdabf419b8d25c11711187a46137a3dcfb4200a66cdcd16cb9a 001_5376.docm
- e276ef0f99df76fc4924120e88f407e633f31c83edee0dfc62bac3b5f9ab4b1b 001_6350.docm
- 9847116a18d773f3448629068a2bb50bac5ebb03bd4ef481ef7008e05823789d 001_6458.docm
- 37d4e2478be67dad599359c3c1649f5ca03010f753b3f19077e9e841520dd149 001_6919.docm
- 396e75051ed5a7b2fe55eed9dc310b6c210259148d0dbef68ddd029586932df1 001_7719.docm
- 43ce2e21db13e155c791f4c55aeafd193a9b6f7617f10db6d1a40929d3f680bb 001_7737.docm
- a987500a5179cc0c05d2ab81d73d44d689f8410b9f77f84dff5060c6f2cd957e 001_8380.docm
- e98a99fb75e6869cdb9c4f4145bb705241cba65e71e70cbcdcd66a2048ea15d9 001_9060.docm
- 3b85d875a6ea47f9add681bb3b8fac098ff7a875709ae3f9cd8c54d60c5a775c 001_9174.docm
- 90c5c5e4fcf8b0a376c8836686fd704ef18cfb960c045b217f08185be6ec3429 001_9543.docm
- bb2cb0d5a8c0c7f49b4feb675f58a8394f2a24602a7009643d4200959b51dc2d 001_9584.docm
- 83ad03f06d2046ec6467c5f4985667ece6440dce62d009ee7c48e045e6268d3e 001_9806.docm
- Download sites:
- http://aarontax.com/hjbgtg67
- http://ayurvoyage.com/hjbgtg67
- http://dabar.name/hjbgtg67
- http://dessde.com/hjbgtg67
- http://e-snhv.com/hjbgtg67
- http://fondazioneprogenies.com/hjbgtg67
- http://gbaudiovisual.co.uk/hjbgtg67
- http://inormann.it/hjbgtg67
- http://motelesapp.com/hjbgtg67
- http://newlifetabernacle.org.uk/hjbgtg67
- http://pearlgonzalez.com/hjbgtg67
- http://swangroup.net/hjbgtg67
- http://tayangfood.com/hjbgtg67
- http://thegardiners.ca/hjbgtg67
- http://trominguatedrop.org/af/hjbgtg67
- http://urban-dna.pt/hjbgtg67
- http://vendemasonline.com/hjbgtg67
- http://wankelstefan.de/hjbgtg67
- http://westsussexcentre.org.uk/hjbgtg67
- http://ymcaonline.net/hjbgtg67
- Malware:
- - encode on download, SHA256 33b775f740a94ad524c7079ef70c47d188a5b89dd92dc54f013247ed722104e9, MD5 d2056a71e2f06a775154a48c3123b6c9
- - decode by XORing with "9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb"
- - decoded SHA256 a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e, MD5 7fd856f90b2ed4611d71fa530f1fc757
- - VT: https://www.virustotal.com/en/file/a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e/analysis/1501096328/
- - HA: https://www.hybrid-analysis.com/sample/a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement