Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-18 #trickbot email phishing campaign with empty subject
- Stats: 2200 emails, 26 unique donwloaders, 25 download sites, 1 malware
- Email sample:
- ---------------------------------------------------------------------------------------------
- From: no-reply@broadway-inf.s-gloucs.sch.uk
- To: [REDACTED]
- Subject:
- Date: Tue, 18 Jul 2017 08:17:49 -0200
- Your Payment is attached.
- Attachment: doc00089338097365745041.zip
- ---------------------------------------------------------------------------------------------
- - from is no-reply@<spoofed domain>
- - subject is empty
- - attachment "doc<20 random digits>.zip" contains 2 files - "ATT0000<2 random digits>.txt" (just padding) and "doc<20-21 random digits>.vbs" which will download from:
- Download Sites:
- http://cor-huizer.nl/56evcxv
- http://demelkwegtuk.nl/56evcxv
- http://dielandy-garage.de/56evcxv
- http://elateplaza.com/56evcxv
- http://emmerich-fischer.de/56evcxv
- http://giwss.com/56evcxv
- http://harmat.pt/56evcxv
- http://huntwebs.com/56evcxv
- http://kampvelebit.com/56evcxv
- http://kleintierpraxiskloten.ch/56evcxv
- http://lsity.ru/56evcxv
- http://mainlinecarriers.co.tz/56evcxv
- http://marcelrahner.com/56evcxv
- http://marylanddevelopers.in/56evcxv
- http://multielectricos.com/56evcxv
- http://ossowski-essen.de/56evcxv
- http://phoneting7.com/56evcxv
- http://pluzcoll.com/56evcxv
- http://projector23.de/56evcxv
- http://provisionbazaar.com/56evcxv
- http://rosaspierhuis.nl/56evcxv
- http://sudhirchaudhary.com/56evcxv
- http://sxxinheng.com/56evcxv
- http://tipografia.by/56evcxv
- http://trasheh.com/56evcxv
- http://vlc.cl/56evcxv
- Malware:
- - encoded on download SHA256 89f984871f01faf4cefb5bc74786b79ec9f8371276c7e88a61ab43a76c55dfd5, MD5 b924f159ceac9540d7fee49d893b47e1
- - decode by XORing download with "pPsV3MkICYRC2rINL8kKL3GJczjHBidO"
- - decoded SHA256 4ac28bbfa2db1c230a18b95f488d94c719822dd17dd19feb31f3c620294f838c, MD5 7c584546be8087b3d62cb72d4cd536d6
- - VT: https://www.virustotal.com/en/file/4ac28bbfa2db1c230a18b95f488d94c719822dd17dd19feb31f3c620294f838c/analysis/
- - HA: https://www.reverse.it/sample/4ac28bbfa2db1c230a18b95f488d94c719822dd17dd19feb31f3c620294f838c?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement