API tools faq
paste
Advertisement
Racco42

2017-07-19 TrickBot "True Telecom Invoice for June 2017"

Racco42
Jul 19th, 2017
4,224
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.51 KB | None | 0 0
raw download clone embed print report
  1. 2017-07-19 #TrickBot email phishing campaign "NNNNNNNN - True Telecom Invoice for June 2017"
  2. Stats: 1062 emails -> 13 unique PDFs -> 13 unique .docm -> 11 unique macros -> 33 download sites -> 2 malware samples
  3.  
  4. Email sample:
  5. ---------------------------------------------------------------------------------------------------------------
  6. From: billing@true-telecom.com
  7. To: [REDACTED]
  8. Subject: 19214857 - True Telecom Invoice for June 2017
  9. Date: Wed, 19 Jul 2017 14:34:54 +0530
  10.  
  11. Dear CUSTOMER
  12.  
  13. We have attached your latest True Telecom bill for June 2017.
  14.  
  15. To be able to read your invoice file you will require the Adobe Acrobat PDF viewer. You may already have this installed,
  16. if not please visit the Adobe website and download their free viewer.
  17.  
  18. Payments made by direct debit will be collected 14 days from the date of the Bill.
  19.  
  20. If you wish to contact us, please do not hesitate to get in touch with one of our friendly customer services agents.
  21.  
  22. Telephone: 0800 840 40 60
  23. Fax: 0844 779 2253
  24. Email: customerservice@true-telecom.com
  25.  
  26. Please be advised that this is an unmonitored email address.
  27.  
  28. With Kind Regards,
  29.  
  30. The True Telecom Team
  31. www.True-Telecom.com
  32.  
  33.  
  34. True Telecom Ltd is registered in England and Wales No. 08225783.
  35. Head Office address: Ground Floor,Lakeview West, Galleon Boulevard, Crossways Business Park, Dartford, Kent, DA2 6QE
  36.  
  37. This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and may contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. The Company only guarantees service in accordance with the service charter. The company accepts no liability for failure of hardware after the termination point. For the purposes of this E-Mail "the Company" is the trading name of True Telecom Ltd. True Telecom Ltd (Registered in England & Wales No. 08225783)
  38.  
  39. Attachment: 2017-06-Bill.PDF
  40. ---------------------------------------------------------------------------------------------------------------
  41. - sender is billing@true-telecom.com
  42. - subject is "<8 digits> - True Telecom Invoice for June 2017"
  43. - attached file "2017-06-Bill.PDF" contains embedded MS Word file "DOC<8 digits>.docm" which contains macro that will download from:
  44.  
  45. Attachments:
  46. 42cbb51be75a0ce60dbdcd8e387a476eedc795c0af8430eca89fd42f0ec39e1f 0004.pdf
  47. 738fc2a336bc07cae027648411c1e56192d33d88ae15a5fb2d075b39d067459b 0005.pdf
  48. 554442f604e2f96db836cbec6da6e772aa98d99d090a7a23956ef7a5bfaaddaa 0008.pdf
  49. e6630b69628c8c8f56d112865593cec8b45f76bc098b76ef44e9fa8c3af66e66 0009.pdf
  50. c9d84853c51373ae3ca06fba80575be6ed85e6894c89b1552bf661f8cfdcd697 0010.pdf
  51. 92e923a78c47188139a8b34d67e4e8ca43000e48f7135b23a7fb73e9494b1fdd 0012.pdf
  52. c9826cb668cf449d13b8074ebf86f1b7b35fe03aa56f34a4c6a666bc2fbe3d46 0017.pdf
  53. adc0628a2837cd47b525dfd2253aa229ecd00a3f41aff13af2c7a64b481d54a2 0066.pdf
  54. 40729b4fc84e69627cd87589bba3b241b4125228b86fc9bd208ce852d8babdcd 0176.pdf
  55. be26d88dc62cca807b588747c56eb2b822009be48d9714eb48be2cfe1456ec0b 0199.pdf
  56. 1f2b3082e70ed8d9657a2ff23b77a60eae29d108377258c9ab6aa7d00acdec06 0509.pdf
  57. 847c37bcdc543fa84a14a51891d4f9c16b24929cb3755e1ffaf8303508b4a211 0515.pdf
  58. 42e6ad9ae22386ccf89edf4db4603868e0a69b73541f31194ef2244f4807049a 0776.pdf
  59.  
  60.  
  61. Download sites:
  62. http://aarontax.com/83b7bf3
  63. http://aromozames.ru/83b7bf3
  64. http://atlon-mebel.ru/83b7bf3
  65. http://atsxpress.com/83b7bf3
  66. http://ayurvoyage.com/83b7bf3
  67. http://cabbonentertainments.com/83b7bf3
  68. http://cupcakery.in/83b7bf3
  69. http://dabar.name/83b7bf3
  70. http://descuentosperu.com/83b7bf3
  71. http://editorialmasterlibros.com/83b7bf3
  72. http://enzyma.es/83b7bf3
  73. http://e-snhv.com/83b7bf3
  74. http://faltico.com/83b7bf3
  75. http://fibrotek.com/83b7bf3
  76. http://fondazioneprogenies.com/83b7bf3
  77. http://gbaudiovisual.co.uk/83b7bf3
  78. http://in-city.info/83b7bf3
  79. http://infochord.com/83b7bf3
  80. http://inormann.it/83b7bf3
  81. http://kms2017.com/83b7bf3
  82. http://luxurious-ss.com/83b7bf3
  83. http://motelesapp.com/83b7bf3
  84. http://nasusystems.com/83b7bf3
  85. http://nikanels.pl/83b7bf3
  86. http://orinta.de/83b7bf3
  87. http://pankaj.pro/83b7bf3
  88. http://pearlgonzalez.com/83b7bf3
  89. http://peterich.de/83b7bf3
  90. http://pta-babel.net/83b7bf3
  91. http://pw-shop.com/83b7bf3
  92. http://schoolalarm.in/83b7bf3
  93. http://spaceonline.in/83b7bf3
  94. http://studio80.biz/83b7bf3
  95. http://sunnydaypublishing.com/83b7bf3
  96. http://swangroup.net/83b7bf3
  97. http://sxmht.com/83b7bf3
  98. http://taobba.com/83b7bf3
  99. http://tax-accounting.net/83b7bf3
  100. http://tayangfood.com/83b7bf3
  101. http://teoxan.ru/83b7bf3
  102. http://test.atlon-mebel.ru/83b7bf3
  103. http://thegardiners.ca/83b7bf3
  104. http://thetwilightzonenetwork.com/83b7bf3
  105. http://tidytrend.com/83b7bf3
  106. http://urban-dna.pt/83b7bf3
  107. http://wankelstefan.de/83b7bf3
  108. http://westsussexcentre.org.uk/83b7bf3
  109. http://wizbam.com/83b7bf3
  110. http://ymcaonline.net/83b7bf3
  111.  
  112. Malware:
  113. - [1] encoded on download SHA256 c829ec30efa6a0448ab27c8d7a0b139c102b14805cd458084353e3e5f0343fd2, MD5 7b4e5bd60644f28b042ff6faa10519c2
  114. - [2] encoded on download SHA256 a11fd973ea8bfd69772c26fde686f6529e671058799301f2aea3915b1a928f51, MD5 89eae47c0fe12a7409dc42304dbb737f
  115. - decode by XORing download with "cizf8cXPd8VvFu1oEdTbJEViOJp6Dmmh"
  116. - [1] decoded SHA256 9f6549b5278691c3c1b46d9a5628445d65e89f31a9d4be07077d2afbacd2d441, MD5 eb35f0484e9cd890a39e675fbb352d7c
  117. - [2] decoded SHA256 bbf078b84fe939f8b3a3d297c72b9240749bcd59fb0a31e6098e822f1a83fd60, MD5 f9650f8f6d8953dbfef206a4783cdd56
  118. - [1] VT: https://www.virustotal.com/file/9f6549b5278691c3c1b46d9a5628445d65e89f31a9d4be07077d2afbacd2d441/analysis/
  119. - [2] VT: https://www.virustotal.com/file/bbf078b84fe939f8b3a3d297c72b9240749bcd59fb0a31e6098e822f1a83fd60/analysis/
  120. - [1] HA: https://www.reverse.it/sample/9f6549b5278691c3c1b46d9a5628445d65e89f31a9d4be07077d2afbacd2d441?environmentId=100
  121. - [2] HA: https://www.reverse.it/sample/bbf078b84fe939f8b3a3d297c72b9240749bcd59fb0a31e6098e822f1a83fd60?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!