Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-24: #trickbot email phishing campaign "Voice Message Attached from NNNNNNNNNNN - name unavailable"
- Samples: 687
- Email sample:
- -------------------------------------------------------------------------------------------------------------------
- From: <vm0@shelleycox.co.uk>
- To: [REDACTED]
- Subject: Voice Message Attached from 01257745291 - name unavailable
- Date: Mon, 24 Jul 2017 17:29:35 +0700
- Time: 21-Jul-2017 10:15:23
- Click attachment to listen to Voice Message
- Attachment: 01257745291_0580299_826828.zip -> 01258861149_20170411_704952.wsf
- -------------------------------------------------------------------------------------------------------------------
- - sender address is vm<1-5 digits>@<domain>
- - subject is "Voice Message Attached from <11 digits> - name unavailable"
- - attached file "<11 digits>_<7 digits>_<6 digits>.zip" contains file "<11 digits>_<7 digits>_<6 digits>.wsf" which will download second stage downloader from:
- Stage2 downloader sites:
- http://asozan.com/mllgkkei17?
- http://atelier-kreft.de/mllgkkei24?
- http://atc-academy.com/mllgkkei20?
- http://atmprotectiveservices.com.au/mllgkkei23?
- http://aupaircol.com/mllgkkei19?
- http://ausbildungscenter.net/mllgkkei14?
- http://auto-ecole-prudence.com/mllgkkei10?
- http://autobody.cciwest.net/mllgkkei21?
- http://autocares-segui.com/mllgkkei15?
- http://autoecoleciammarughi.com/mllgkkei12?
- http://autoecole-jeanlouis.com/mllgkkei11?
- http://autoghinzani.it/mllgkkei16?
- http://autogrand.perm.ru/mllgkkei13?
- http://autoparts-24.de/mllgkkei2?
- http://avallon-informatique.fr/mllgkkei18?
- http://avra-beach.gr/mllgkkei22?
- Malware download sites:
- http://angielam.com/378fh3
- http://apparelsave.com/378fh3
- http://arbeidspassie.nl/378fh3
- http://arquison2008.com/378fh3
- http://ars89.net/378fh3
- http://artazaromo.com/378fh3
- http://artcafe.stargard.com.pl/378fh3
- http://artdeco-repro.com/378fh3
- http://artigianatorusso.com/378fh3
- http://artplast.uz/378fh3
- http://arttouseit.ro/378fh3
- http://artwater.es/378fh3
- http://aryantech.com.my/378fh3
- http://ascensions.fr/378fh3
- http://asesoreszapico.com/378fh3
- http://asheardontheradiogreens.com/378fh3
- http://ashtangayogabcn.com/378fh3
- http://asianart.uz/378fh3
- http://aslan-natursteine.de/378fh3
- http://asliozturk.com/378fh3
- http://aspensunrise.com/378fh3
- http://assiemme.it/378fh3
- http://associacioaurora.org/378fh3
- http://associazioneignis.it/378fh3
- http://astrid-kerber.de/378fh3
- http://astrologie-forum.info/378fh3
- http://athleteatwork.co.uk/378fh3
- http://atn.de/378fh3
- Malware:
- - encoded on download, SHA256 626b30c22ac35f2bc371c4989ce2b1d435d44d0c86d0e9009b33c852ebc67976, MD5 78020fe348ba9ce40807f60e8375dd51
- - decode by XORing with "J5Z774rKPlS5pGrB047O9DZbH6FR2C3l"
- - decoded SHA256 5da46c563f10b51d21cb2755388753eb4d154c6605e0bf89759cae830c376224, MD5 d113359f92fce6d110bd840b72eec213
- - VT: https://www.virustotal.com/en/file/5da46c563f10b51d21cb2755388753eb4d154c6605e0bf89759cae830c376224/analysis/1500895222/
- - HA: https://www.reverse.it/sample/5da46c563f10b51d21cb2755388753eb4d154c6605e0bf89759cae830c376224?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement