Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- sender addresses
- ---
- adc056@quefacil.com.gt
- adc56@quefacil.com.gt
- admin1@recruitmentonline.in
- ahmed@anjcarriers.com
- bmgmemo@yourhostingaccount.com
- claudia.macias@casco.com.mx
- contabilidad1@inversionesincarven.com.ve
- direccion@tirsa.com.mx
- jamal@bmgint.net <jamal@yourhostingaccount.com>
- jgatica@rossi.cl
- maria@exelfuel.co.zw
- omar.barajas@climaproyectos.com.mx
- shirshova.ev@fnkc-fmba.ru
- Observed some spoofed "Amazon.com <auto-confirm@amazon.com>" and "confirm@amazon.com" senders; their Return Path emails are listed above.
- ---
- subject lines
- ---
- Amazon Order #101-6822294-0962098
- Amazon Order #187-9321422-0266725
- Amazon order details
- Amazon.com order
- Amazon.com order payment
- Your Amazon Order 127-0478391-0792781
- ---
- [STATUS as of Jan 16 @ 3:00PM ET] link in email
- ---
- [403 ERROR] hxxp://science-house.ir/cgi-bin/Amazon/Attachments/2019-01
- [404 ERROR] hxxp://old.copyrightessentials.com/Amazon/Information/2019-01
- [ACTIVE] hxxp://dekbedbedrukken.koffie-bekers.nl/Amazon/Clients/01_19
- [ACTIVE] hxxp://liveloan.eu/Amazon/EN/Clients_Messages/01_19
- [ACTIVE] hxxp://smtp.stepoutforsuccess.ca/Amazon/Attachments/012019
- [ACTIVE] hxxp://sofathugian.vn/Amazon/EN/Payments/012019
- [ACTIVE] hxxp://themanorcentralparknguyenxien.net/Amazon/Orders_details/012019
- [ACTIVE] hxxp://www.themoonplease.com/Amazon/Clients/2019-01/
- [ERROR] hxxp://bluepalm.tech/Amazon/En/Payments_details/012019
- [NOT FOUND] hxxp://wellnessworkshop.ie/Amazon/EN/Clients_transactions/012019
- ---
- SHA256 of files downloaded from emailed links
- ---
- 157ed6528400612ce534b91a4e164b80e0dfa1cd868f98590d0b8b52a55e2136
- 24b035e1db6b53be081385b1c68d75c1d540f15df2cbc24a8dec21a7bac0df91
- 44a5249e375a50281edafaeec52542cf65b2659b6435df021723f71ff97f1359
- 5fa4e47a7c6ee9631ac151bafb0feeef27408946f72ba34283504c1a3af6cd92
- 6cc677d1ac4b9cfe4a5c39da0555abf73b47f5831781da5184962e3ffe988f5f
- 7dcb7f8c653d3f2787a11a1d88c0960e441f5e86b986e8d0b848d28ef7402509
- a76d5512199fbad3d171c7dc60c014ccb9f37bd8257be19a10208c6f88222565
- a7e9e05453f45702a490cb39b8e41f43f364efb1deb687fbca0669d81db05344
- b7fca84768b87804f9ec01ca78693c5ebf134c321f901bcae1936af997ac5d5b
- c5ab3988752d04b3c483bad60a407e386987790716aed72cf50d04a01d10bc47
- e5fdfb17d2b72ae4e8853face57b4cf43c3c1060ec49db55e137fbee13ca7d4b
- ed460a6be43aafdd964fc75159f4b43ac7dfeaf9b33eb9ebc2efd5f7f00f2096
- f5a3c7c73bcf3833808d643a9c9644c360aff6f64b9e68d2ed01f6273d2a681e
- fce499a679daab4202a09972465acaf3b4a2df82a6efbe9d3972c0d043b70c01
- ffe1eab5fba3de0241b6ed61201773458f38adfc7703b5b79a717336fecaf129
- Majority of these files are on VirusTotal now; you can follow the chain there for executables / C2.
- ---
- additional sources on urlscan.io from today for those hashes
- ---
- hxxp://7seotools.com/Amazon/En/Payments_details/01_19/
- hxxp://azimut-volga.com/Amazon/Payments_details/2019-01
- hxxp://bakerykervan.godohosting.com/wp-content/uploads/Amazon/En/Information/2019-01
- hxxp://casetime.org/Rechnungs/01_19/
- hxxp://emiratesprefab.ae/Amazon/En/Orders-details/012019/
- hxxp://en.tag.ir/Amazon/Clients_transactions/012019
- hxxp://expoluxo.com/Amazon/En/Clients_information/2019-01
- hxxp://jameshunt.org/Rechnung/012019/
- hxxp://leodruker.com/Amazon/EN/Transactions/012019/
- hxxp://leonardokubrick.com/Amazon/Orders-details/012019/
- hxxp://mahsew.com/AMAZON/Transaction_details/012019/
- hxxp://mataukitaip.ekovalstybe.lt/Documents/01_19
- hxxp://maverick-advisory.fr/AMAZON/Details/012019/
- hxxp://mingroups.vn/Transactions/012019
- hxxp://newwayit.vn/admin/Clients_information/012019
- hxxp://old.polskamasens.pl/Amazon/Transactions/2019-01/
- hxxp://orderout.nl/Amazon/Clients_transactions/012019
- hxxp://qualitybeverages.co.za/Amazon/Clients_transactions/012019/
- hxxp://ragainesvaldos.ekovalstybe.lt/Payments/01_19
- hxxp://rampp.ir/wp-content/Amazon/Information/01_19/
- hxxp://sabugoventures.co.ke/Documents/012019/
- hxxp://seitenstreifen.ch/Attachments/01_19
- hxxp://voldprotekt.com/Amazon/EN/Information/01_19/
- hxxp://weddingstudio.com.my/Messages/2019-01
- hxxp://www.ayokerja.org/AMAZON/Clients/012019/
- hxxp://www.comparto.com.br/Amazon/Clients/01_19/
- hxxp://www.iain-padangsidimpuan.ac.id/Payment_details/2019-01
- hxxp://www.lagis.com.tw/ktPF-Fc8Pm_heXXiUK-HWE/Clients_Messages/012019
- hxxp://www.rokiatraore.net/Transaction_details/2019-01
- hxxp://www.wholehealthcrew.com/Amazon/Documents/01_19/
- hxxp://zidanmeubel.com/Amazon/EN/Payments_details/012019/
Add Comment
Please, Sign In to add comment