SHARE
TWEET

2017-07-26 GlobeImposter "NN_Order_NNNN"

Racco42 Jul 26th, 2017 (edited) 585 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-26: #GlobeImposter email phishing campaign "NN_Document|File|Invoice|Receipt|Scan_NNNN"
  2. Samples: 373
  3.  
  4. Email sample:
  5. ----------------------------------------------------------------------------------------------------------------
  6. From: DEMETRIUS WESTBROOK <demetriuswestbrook@incogniterra.org>
  7. To: [REDACTED]
  8. Subject: 93_Scan_1324
  9. Date: Wed, 26 Jul 2017 19:06:17 +0200
  10.  
  11. 001_0444
  12.  
  13. Attachment: 001_0444.zip -> 0001_1935.zip -> 001_1935.docm
  14. ----------------------------------------------------------------------------------------------------------------
  15. - sender is random
  16. - subject is "<2 digits>_<DOC|Document|File|Invoice|Receipt|Scan>_<4 digits>
  17. - attached file "001_<4 digits>.zip" contains another zip which contains file "001_<4 digits>.docm", a MS Word document containing macro which will download encoded malware
  18.  
  19. Attachments:
  20. 5514117aaba438d5a3bf917a911ed4884897a6ec6b1ad1acc1e574144ada92bb  001_1787.docm
  21. b66e60f8b7b500ccd6009c10dcd6b6d94855165967c31c37bdb8c1b382a8d952  001_1935.docm
  22. b3d05c625527e2dfea7646bca9de7bc49068855a2304a2eb6b6f6d2f94493df6  001_3213.docm
  23. 0c16635b3fbd6d0bd41d90227aacbdb509bac6ba19883da472def3ad8b883f4f  001_3376.docm
  24. 16fbf067889c15ee9c81c591a2b67e791ba3d68e0d8e4f510f87a0bd0b760545  001_3641.docm
  25. eb8170b4f845a72ecf796749d4c3e1ace39451a8999166fcf7fcb17e8fe467d0  001_4227.docm
  26. 9853622a0989a181c03fe1d433b7510cc5d5fe7e46b2972fe6b99e7537f361da  001_4948.docm
  27. a904a1f15941db292dce920908f07c5c2318fe43c56fa85aa23ce75d17b74026  001_5079.docm
  28. a128ba744b4ccfc7e8c86cee8dba13894145268ec2fa540a69f9396a5e448c39  001_5332.docm
  29. 0ff2d98cdc9d1cdabf419b8d25c11711187a46137a3dcfb4200a66cdcd16cb9a  001_5376.docm
  30. e276ef0f99df76fc4924120e88f407e633f31c83edee0dfc62bac3b5f9ab4b1b  001_6350.docm
  31. 9847116a18d773f3448629068a2bb50bac5ebb03bd4ef481ef7008e05823789d  001_6458.docm
  32. 37d4e2478be67dad599359c3c1649f5ca03010f753b3f19077e9e841520dd149  001_6919.docm
  33. 396e75051ed5a7b2fe55eed9dc310b6c210259148d0dbef68ddd029586932df1  001_7719.docm
  34. 43ce2e21db13e155c791f4c55aeafd193a9b6f7617f10db6d1a40929d3f680bb  001_7737.docm
  35. a987500a5179cc0c05d2ab81d73d44d689f8410b9f77f84dff5060c6f2cd957e  001_8380.docm
  36. e98a99fb75e6869cdb9c4f4145bb705241cba65e71e70cbcdcd66a2048ea15d9  001_9060.docm
  37. 3b85d875a6ea47f9add681bb3b8fac098ff7a875709ae3f9cd8c54d60c5a775c  001_9174.docm
  38. 90c5c5e4fcf8b0a376c8836686fd704ef18cfb960c045b217f08185be6ec3429  001_9543.docm
  39. bb2cb0d5a8c0c7f49b4feb675f58a8394f2a24602a7009643d4200959b51dc2d  001_9584.docm
  40. 83ad03f06d2046ec6467c5f4985667ece6440dce62d009ee7c48e045e6268d3e  001_9806.docm
  41.  
  42. Download sites:
  43. http://aarontax.com/hjbgtg67
  44. http://ayurvoyage.com/hjbgtg67
  45. http://dabar.name/hjbgtg67
  46. http://dessde.com/hjbgtg67
  47. http://e-snhv.com/hjbgtg67
  48. http://fondazioneprogenies.com/hjbgtg67
  49. http://gbaudiovisual.co.uk/hjbgtg67
  50. http://inormann.it/hjbgtg67
  51. http://motelesapp.com/hjbgtg67
  52. http://newlifetabernacle.org.uk/hjbgtg67
  53. http://pearlgonzalez.com/hjbgtg67
  54. http://swangroup.net/hjbgtg67
  55. http://tayangfood.com/hjbgtg67
  56. http://thegardiners.ca/hjbgtg67
  57. http://trominguatedrop.org/af/hjbgtg67
  58. http://urban-dna.pt/hjbgtg67
  59. http://vendemasonline.com/hjbgtg67
  60. http://wankelstefan.de/hjbgtg67
  61. http://westsussexcentre.org.uk/hjbgtg67
  62. http://ymcaonline.net/hjbgtg67
  63.  
  64. Malware:
  65. - encode on download, SHA256 33b775f740a94ad524c7079ef70c47d188a5b89dd92dc54f013247ed722104e9, MD5 d2056a71e2f06a775154a48c3123b6c9
  66. - decode by XORing with "9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb"
  67. - decoded SHA256 a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e, MD5 7fd856f90b2ed4611d71fa530f1fc757
  68. - VT: https://www.virustotal.com/en/file/a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e/analysis/1501096328/
  69. - HA: https://www.hybrid-analysis.com/sample/a1cde05bb37cecfecc2ccfb57807d2db66393d73c6e88e129507ffcb70f0ba2e?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top