SHARE
TWEET

2017-07-26 Trickbot "Emailing: NNNNNNN.JPG"

Racco42 Jul 26th, 2017 (edited) 520 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-26: #TrickBot email phishing campaign "Emailing: NNNNNNN.JPG"
  2. Samples: 1955
  3.  
  4. Email sample:
  5. ------------------------------------------------------------------------------------------------------
  6. From: "Jewel" <Jewel@[REDACTED]>
  7. To: [REDACTED]
  8. Subject: Emailing: 1198718.JPG
  9. Date: Wed, 26 Jul 2017 12:17:53 +0300
  10.  
  11. The message is ready to be sent with the following file or link attachments:
  12.  
  13. 1198718.JPG
  14.  
  15. Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.
  16.  
  17. Attachment: 1198718.JPG.zip -> PGB_ 14284364841_390184.wsf
  18. ------------------------------------------------------------------------------------------------------
  19. - sender is spoofed to looks like email is coming from same domain
  20. - subject is "Emailing: <7 digits>.JPG"
  21. - attached file "<7 digits>.JPG.zip" contains file "<3 upcase letters>_ <11 digits>_<6 digits>.wsf" which will donwload second stage downloader from:
  22.  
  23. Stage2 donwload sites:
  24. http://ambrozy.cz/685764?
  25. http://mdalive.com/654?
  26. http://muellerhans.ch/5643?
  27. http://multisolution.org/234?
  28. http://panfood.ro/563?
  29. http://pw-shop.com/35w3?
  30. http://skispoj.7u.cz/7563?
  31. http://staubing.de/4353?
  32.  
  33. Second stage downloader is a MSHTA file containing VBScript which will download encoded malware from:
  34.  
  35. Malware download sites:
  36. http://1000i.co/jkhg67
  37. http://allmumsaid.com.au/jkhg67
  38. http://aromozames.ru/jkhg67
  39. http://atomorrow.org/jkhg67
  40. http://gotm.ru/jkhg67
  41. http://lordheals.com/jkhg67
  42. http://mangetsudo.net/jkhg67
  43. http://overseaseducationworld.com/jkhg67
  44. http://somersetautotints.co.uk/jkhg67
  45. http://taobba.com/jkhg67
  46. http://trominguatedrop.org/af/jkhg67
  47.  
  48. Malware
  49. - encoded SHA256 217deddeff06f7548375c47b21786ee2eab8cc64a8d8028c0363478de12dae04, MD5 e82fe638aa6c6cd96cb7094195c22b6c
  50. - decode by XORing with "77JdBjX1f1zqehxdK62siY3T28L6GXEo"
  51. - decoded SHA256 a79e3958f06094318283db6437733bccd0962befcc5817ca2aaa48ae78404d58, MD5 3bc4484be3373920cac0d1199a1af75b
  52. - VT: https://www.virustotal.com/file/a79e3958f06094318283db6437733bccd0962befcc5817ca2aaa48ae78404d58/analysis/1501062942/
  53. - HA: https://www.reverse.it/sample/a79e3958f06094318283db6437733bccd0962befcc5817ca2aaa48ae78404d58?environmentId=100
  54.  
  55. - encoded SHA256 98266b4640268d85f1c64907039e55d96b0ed2c889d315c1be45b4bb861db7f2 , MD5 9c457aff0ffc1ac6d3f2e5948ff72f0c
  56. - decode by XORing with "77JdBjX1f1zqehxdK62siY3T28L6GXEo"
  57. - decoded SHA256 2e3090322cc2a186b881f13b19b40eb15977e611c44bcddcba1ffb3cd7f36275, MD5 ab0093d24b8a61788bfa8c7ff73f0be8
  58. - VT: https://www.virustotal.com/file/2e3090322cc2a186b881f13b19b40eb15977e611c44bcddcba1ffb3cd7f36275/analysis/1501062968/
  59. - HA: https://www.reverse.it/sample/2e3090322cc2a186b881f13b19b40eb15977e611c44bcddcba1ffb3cd7f36275?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top