Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-20: #trickbot email phishing campaign "Document/Invoice/Order/Receipt/Scan"
- ---------------------------------------------------------------------------------------------------------
- From: "Park Royal Partnership" <Adrian@ochil.globalnet.co.uk>
- To: [REDACTED]
- Subject: DOC
- Date: Thu, 20 Jul 2017 15:40:54 +0530
- Attachment: MX-2310U_20170720_836945.zip
- ---------------------------------------------------------------------------------------------------------
- - subject is one of: DOC, Document, Documents, Invoice, Order, Paper, Receipt, Scan or Scanned document
- - email body is empty
- - attached file "MX-2310U_20170720_<6 digits>.zip" contains file "doc000<17-18 digits>.vbs" which will download malware from:
- Download sites:
- http://ambrec.com/jhf8w743
- http://amphibiousvehicle.eu/jhf8w743
- http://ampiere.com/jhf8w743
- http://anakha.net/jhf8w743
- http://analisisreig.cat/jhf8w743
- http://anderlaw.com/jhf8w743
- http://anderson-hanson-blanton.com/jhf8w743
- http://andreasparochie.net/jhf8w743
- http://andresarlemijn.nl/jhf8w743
- http://andrewlloydhousing.co.uk/jhf8w743
- http://anfiris.com/jhf8w743
- http://angelathomson.com/jhf8w743
- http://angeldemon.com/jhf8w743
- http://angelolicari.com/jhf8w743
- http://animation-sarzeau.fr/jhf8w743
- http://anliegergemeinschaft.de/jhf8w743
- http://annalisamansutti.com/jhf8w743
- http://annmcclean.co.uk/jhf8w743
- http://annoncesdirectes.com/jhf8w743
- http://antiquariat-kiemes.de/jhf8w743
- http://antonellacrestani.it/jhf8w743
- http://antwerpiastamps.be/jhf8w743
- http://antwerpportshuttles.be/jhf8w743
- http://anunturi-imobiliare-bucuresti.ro/jhf8w743
- http://anunturi-imobiliare-cluj-napoca.ro/jhf8w743
- http://anwaltskanzlei-geier.de/jhf8w743
- http://aok-nordschwarzwald.de/jhf8w743
- http://aoua.gr/jhf8w743
- http://apartamente-brasov.ro/jhf8w743
- http://apartamente-cluj-napoca.ro/jhf8w743
- http://apartamente-regim-hotelier-cluj.ro/jhf8w743
- http://apartamente-timisoara.ro/jhf8w743
- http://aparthotelmontreal.com/jhf8w743
- http://apbg-dubai.info/jhf8w743
- http://apfonte.com/jhf8w743
- http://apogenericos.com/jhf8w743
- http://appartement-sailer.at/jhf8w743
- http://appenzeller.fr/jhf8w743
- http://applebrandstore.de/jhf8w743
- http://appollovision.com/jhf8w743
- http://aqle.fr/jhf8w743
- http://arcana.es/jhf8w743
- http://arc-conduite.com/jhf8w743
- http://archburo-martens.be/jhf8w743
- http://archiefopslag.org/jhf8w743
- http://architekt-mauss.de/jhf8w743
- http://arcipelagodelgusto.it/jhf8w743
- http://ardrishaig.com/jhf8w743
- http://argirosmarine.gr/jhf8w743
- http://ar-inversiones.com/jhf8w743
- http://armadio-meble.pl/jhf8w743
- http://aros.ppa.pl/jhf8w743
- http://art-city-perm.ru/jhf8w743
- http://artfauna.de/jhf8w743
- Malware:
- - encoded on download, SHA256 65cc73f46936f110658152134a6922909802aad263c9b2c146f9e6e166259c39, MD5 9d281c4c2a9b5505ff0e68903546b255
- - decode by XORing with "FKHL2wZZ8a2MhL2g23gnm9b5bqvfhcZE"
- - decoded SHA256 ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d, MD5 c5cd1e0ad1dbd79b0123a0dd96259075
- - VT: https://www.virustotal.com/en/file/ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d/analysis/1500543639/
- - HA: https://www.reverse.it/sample/ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement