Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Bokbot
- Notes:
- I got a run of odd #bokbot loader sent via email as .doc but is actually .docx. They are still coming in now.
- Loads the following goofy screen attached. Executes VBS embedded to call WSCRIPT and download from an open dir full of #trickbot and other garbage.
- _____________________________
- Email Template example:
- Date: Tue, 29 Oct 2019 11:17:27 -0600
- From: "=?utf-8?Q?Loan_Services?=" <ldb3@homesc.com>
- Organization: dzldcilvcijcj
- X-Priority: 3 (Normal)
- Message-ID: <6650300744.20191029111727@homesc.com>
- To: Victim@yourdomain.tld
- Subject: =?utf-8?Q?You_have_received_message_about_your_unpaid_invoice?=
- MIME-Version: 1.0
- Content-Type: multipart/mixed;boundary="----------4F3D0D45A18DE123E5"
- X-DLP-OUTBOUND: 137.118.40.128/25
- X-MAG-OUTBOUND: greymail.redcondor.net@137.118.40.128/25
- X-Modus-SPF-Results: spf=pass, details=homesc.com: Sender is authorized to use 'homesc.com' in 'mfrom' identity (mechanism
- 'include:spf1.neonova.net' matched)
- ------------4F3D0D45A18DE123E5
- Content-Type: text/plain; charset=utf-8
- Content-Transfer-Encoding: 8bit
- Dear Valuable Customer,
- This letter is simply a cordial notice. We haven’t accredited the payment for the following monthly bill yet, plus it is three working days delayed. Don't forget to make the payment for the following bill followed below, as fast as possible. If you could have issues, i highly recommend you e-mail us to discuss the matter.
- Statement attached to this email.
- We would appreciate your immediate attention to this subject.
- Most sincerely,
- Justin Parrish
- Sucent Loan Services
- ------------4F3D0D45A18DE123E5
- Content-Type: application/octet-stream;
- name="efax_document675724_270.doc"
- Content-transfer-encoding: base64
- Content-Disposition: attachment;
- filename="efax_document675724_270.doc"
- ______________
- Alternate Body
- Dear Client,
- This email is simply a cordial notification. We have not validated the compensation for this invoice still, in addition it's 4 days overdue. Be sure to make payment for the account invoice down the page, in a timely manner. In case you have got concerns, i highly recommend you contact us to talk about the concern.
- Statement attached to this e-mail.
- We'd truly value your prompt focus on this matter.
- With gratitude,
- Damari Quinn
- Demimbu Credit Services
- ________________________________________
- Subjects seen:
- You have got message about your unpaid invoice
- You have collected message about your unpaid invoice
- You have got email about unpaid statement
- You have received message about your unpaid invoice
- Doc Template Run:
- https://app.any.run/tasks/6d6bdf97-86f2-4880-8e83-6fa44e8dbc14
- Doc hashes:
- 127f34cf8a2f322d30a3d7c651bf75ea3fb31d21b6665273fb75429c36d3bc39
- 50dbd9c8754a11a14cc1e94057d23ccbf504af390e2153371d0184cf16bbe772
- 3008746ebf3544ee583eee3e32ec39378d581347699ae02143dbd500cf7eadec
- 56fc206f8906fd463f0958760c546a15ee573870aeabc2898d9daf445a7510eb
- Direct execution of payload:
- https://app.any.run/tasks/e7e2cbdc-82cf-4ac6-a62a-26620e082e84
- Binary Hashes:
- f61bc27063dbca08901b133ae611e0752fcc3da28df46739fc7bc1661a72e075
- C2:
- https://gfthwards.com/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
- https://gfthwards.eu/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
- https://gfthwards.net/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
- https://presifered.com/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
- https://coujtried.com/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
- Other malware found in open directory:
- https://www.kbtseafood.com/wp-content/uploads/2019/07/
- #Trickbot
- https://www.kbtseafood.com/wp-content/uploads/2019/07/Print_Version.exe
- https://www.kbtseafood.com/wp-content/uploads/2019/07/LEO2KLDCXZ.exe
- https://www.kbtseafood.com/wp-content/uploads/2019/07/crypt.exe
- https://www.kbtseafood.com/wp-content/uploads/2019/07/eag12e.tiff
- https://www.kbtseafood.com/wp-content/uploads/2019/07/eag12ec.tiff
- https://www.kbtseafood.com/wp-content/uploads/2019/07/eag12e.res
Add Comment
Please, Sign In to add comment