2017-08-03 GlobeImposter "IMG_xxxx.BMP"

2017-08-03: #GlobeImposter email phishing campaign "IMG_xxxx.BMP"
Samples: 1376

Email sample:
-----------------------------------------------------------------------------------------------------------------------
From: bridgett pugh <bridgettsZpugh@gmail.com>
To: [REDACTED]
Subject: IMG_9835.PDF
Date: Fri, 04 Aug 2017 00:59:47 -0700

Attachment: IMG_9835.zip -> IMG_2278.js
-----------------------------------------------------------------------------------------------------------------------
- sender is <random>@gmail.com
- subject is "IMG_<4 digits>.<BMP|PDF|JPEG|JPG|GIF>
- email body is empty
- attached file "IMG_<4 digits>.zip" contains file "IMG_<4 digits>.js", a JSsript downloader which will download malware from:

Download sites (URL contains suffix ??<random>=<random> which does not influence download):
http://3sat.fr/JKhbj6g7
http://adelaidemotorshow.com.au/hg65fyJHG
http://apositive.be/hg65fyJHG
http://autoecole-jeanpierre.com/JKhbj6g7
http://camefe.com.mx/JKhbj6g7
http://cipemiliaromagna.cateterismo.it/hg65fyJHG
http://clubvive.net/JKhbj6g7
http://diesel-pickup-oil-site.com/hg65fyJHG
http://eubieartmedia.com/hg65fyJHG
http://greenerlivingca.com/JKhbj6g7
http://harristeavn.com/hg65fyJHG
http://homeownersinsurance.ca/JKhbj6g7
http://inducars.be/hg65fyJHG
http://irenefalsone.com/JKhbj6g7
http://lepair-be.com/JKhbj6g7
http://llallagua.ch/JKhbj6g7
http://peluqueriacaninaencordoba.com/JKhbj6g7
http://promultis.it/hg65fyJHG
http://saunaesofmansatis.net/JKhbj6g7
http://searchlightcare.com/JKhbj6g7
http://telesolutionsconsultants.com/hg65fyJHG
http://themeastralgratuit.com/JKhbj6g7

Malware:
- SHA256 228b6531f211ef09eef0c3d573636849bdd5751494b371cc750d33275949a345, MD5 ba3585645822f5656dc3197acb88bdd7
- VT: https://www.virustotal.com/en/file/228b6531f211ef09eef0c3d573636849bdd5751494b371cc750d33275949a345/analysis/
- HA: https://www.reverse.it/sample/228b6531f211ef09eef0c3d573636849bdd5751494b371cc750d33275949a345?environmentId=100