Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-07-25 #trickBot email phishing campaign "< No Subject >"
- Samples: 458
- Email sample:
- -----------------------------------------------------------------------------------------------------------------------
- From: <notifications@in.telstra.com.au>
- To: [REDACTED]
- Subject: < No Subject >
- Date: Wed, 26 Jul 2017 01:57:26 +0300
- Good Day,
- Please see attached email bill request from May-July 2017.
- Yours Sincerely,
- Sandy
- D354810
- Attachment: May-July2017.zip
- -----------------------------------------------------------------------------------------------------------------------
- - sender is "notifications@in.telstra.com.au"
- - subject is "< No Subject >"
- - attached file "May-July2017.zip" contains file "<3 upcase letters>_ <11 digits>_<6 digits>.wsf", a which when executed will downaload 2nd stage downloader from:
- Stage2 download sites:
- http://acomplia.orgfree.com/8?
- http://delicefilm.com/cgi-bin/10?
- http://dodawanie.com/1?
- http://esu-tech-saar.de/4?
- http://gala.noads.biz/2?
- http://huairou.com/3?
- http://kpalion.piwko.pl/12?
- http://mavisehirrotaract.org/cgi-bin/5?
- http://naturis.info/6?
- Stage2 downloader is a MSHTA file containing VBScript downloader which will download malware from:
- Malware download sites:
- http://1pointsix18.in/n3f7b
- http://eselink.com.my/n3f7b
- http://gotchawildlife.com/n3f7b
- http://infopoupees.com/n3f7b
- http://olsonlamaj.com/n3f7b
- http://potsdamer-strassenfest.de/n3f7b
- http://rencontre-rouen.com/n3f7b
- http://sakrabeskydy.wz.cz/n3f7b
- http://starsafety.net/n3f7b
- http://sunbrio.com/n3f7b
- http://thelaw.ae/n3f7b
- http://trominguatedrop.org/af/n3f7b
- http://wirbeldipf.ch/n3f7b
- Malware:
- - encoded on download SHA256 932cc394f05ae536e98b9861bfc854251023809ae8099f2cb6af16c28f6300bd, MD5 e0aee94076700e1bcb6b9eac6121a9bb
- - decode by XORing with "ur43vUVcQMub86bdFOwgt1rZJjssOXNj"
- - decoded SHA256 b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13, MD5 90284b01fae8a932ca99767825568721
- - VT: https://www.virustotal.com/file/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13/analysis/1501024947/
- - HA: https://www.reverse.it/sample/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement