Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-05-06 (WEDNESDAY) - XLS ATTACHMENTS FROM MALSPAM PUSHING DRIDEX
- DATA FROM 10 EMAIL EXAMPLES:
- SENDING MAIL SERVERS:
- - Received: from ([94.158.83.20])
- - Received: from ([217.133.10.43])
- - Received: from ([93.32.81.205])
- - Received: from [116.103.20.119] ([116.103.20.119])
- - Received: from host2-47-static.45-85-b.business.telecomitalia.it ([85.45.47.2])
- - Received: from ([5.90.149.147])
- - Received: from ([213.60.190.210])
- - Received: from ([181.43.240.0])
- - Received: from modemtelecom.homenet.telecomitalia.it ([79.56.20.116])
- - Received: from ([213.26.203.148])
- SPOOFED SENDING EMAIL ADDRESSES:
- - From: DHL - Brook Conway <Brook.Conway@dhl.com>
- - From: DHL - Josephine Warren <Josephine.Warren@dhl.com>
- - From: DHL - Caroline Morrison <Caroline.Morrison@dhl.com>
- - From: DHL - Erica Lees <Erica.Lees@dhl.com>
- - From: DHL Express - India Sutton <India.Sutton@dhl.com>
- - From: "\Intuit Service\" <quickbooks@notification.intuit.com>
- - From: "\Intuit E-Commerce Service\" <quickbooks@notification.intuit.com>
- - From: "Intuit Notification" <quickbooks@notification.intuit.com>
- - From: <quickbooks@notification.intuit.com>
- SUBJECT LINES:
- - Subject: DHL - invoice(s)
- - Subject: DHL enclosed invoices
- - Subject: enclosed invoices
- - Subject: Invoice 322868
- - Subject: Invoice/Sales Receipt 382478
- - Subject: Invoice/Sales Receipt 798512
- - Subject: Purchase Order/Invoice 884120
- - Subject: Reminder: Invoice 492702
- ATTACHMENT NAMES:
- - 647 81027{DIGIT[5]).xls
- - 650 10317{DIGIT[5]).xls
- - 725 45253{DIGIT[5]).xls
- - 926 37283{DIGIT[5]).xls
- - 987 81519{DIGIT[5]).xls
- - Inv-382478.XLS
- - Inv_492702.XLS
- - INV_798512.XLS
- - invoice.322868.xls
- - invoice-884120.xls
- ATTACHMENT EXAMPLES:
- - SHA256 hash: 5ade0c4492ffe4b77776543635a5cad0eef6d4a207f69dac0a59f9ad76aa42ba
- - File size: 87,040 bytes
- - File name: 548 49931{DIGIT[5]).xls
- - Analysis: https://app.any.run/tasks/4fcd41f9-27ae-4361-a2f6-1599a65e970f
- - SHA256 hash: 7f8f24884e26b4b508d5147f8f54269e452d1200904323544ef36e30400190b1
- - File size: 84,992 bytes
- - File name: Inv_219278.xls
- - Analysis: https://app.any.run/tasks/e7f30c31-66c4-4209-9b8a-edc987a20e46
- BOTH OF THE ABOVE FILES RETRIEVE INFO FROM:
- - 80.249.147[.]185 port 443 (HTTPS) - gorgetto[.]com - GET /?1521169368286060714509328740714221001
- EXAMPLE OF TODAY'S INITIAL DRIDEX DLL:
- - SHA256 hash: d94f16865de67b97fd6b953c54914d10e92cf8948843f8c8a275126af4b7805d
- - File size: 477,696 bytes
- - File location: C:\Users\[username]\AppData\Local\Temp\[random file name]
- - To run: regsvr32.exe -s [file name]
- - Analysis: https://app.any.run/tasks/8c587523-7ac5-4fe4-ba82-dc713b92279e
Add Comment
Please, Sign In to add comment