SHARE
TWEET

2017-07-21 TrickBot "Voice Message Attached"

Racco42 Jul 21st, 2017 (edited) 663 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-21: #TrickBot email phishing campaign "Voice Message Attached from NNNNNNNNNNN - name unavailable"
  2.  
  3. -------------------------------------------------------------------------------------------------------------
  4. From: <vm@unlimitedhorizon.co.uk>
  5. To: [REDACTED]
  6. Subject: Voice Message Attached from 01258898588 - name unavailable
  7. Date: Fri, 21 Jul 2017 09:58:01 -0200
  8.  
  9. Time: 21-Jul-2017 10:15:23
  10. Click attachment to listen to Voice Message
  11.  
  12. Attachment: 01258898588_1020422_553798.zip
  13. -------------------------------------------------------------------------------------------------------------
  14. - sender is vm@unlimitedhorizon.co.uk
  15. - subject is "Voice Message Attached from <11 digits> - name unavailable"
  16. - attached file "<11 digits>_<7 digits>_<6 digits>.zip" contains file "<11 digits>_<7 digits>_<6 digits>.wsf", which will donwload another downloader from:
  17.  
  18. Download sites, stage1
  19. http://ask3.com/sdfgdsg1?
  20. http://assieme.ch/sdfgdsg1?
  21. http://atc-academy.com/sdfgdsg1?
  22. http://atelier-2.ch/sdfgdsg1?
  23. http://atelier-kreft.de/sdfgdsg1?
  24. http://atolyekileroyunculari.com/sdfgdsg1?
  25. http://atrenz.de/sdfgdsg1?
  26. http://aube-genealogie.com/sdfgdsg1?
  27. http://audiotek.ca/sdfgdsg1?
  28. http://augsburger-maerchentheater.de/sdfgdsg1?
  29. http://aupaircol.com/sdfgdsg1?
  30. http://ausbildungscenter.net/sdfgdsg1?
  31. http://autobahnhexham.co.uk/sdfgdsg1?
  32. http://autobody.cciwest.net/sdfgdsg1?
  33. http://autocares-segui.com/sdfgdsg1?
  34. http://autoecoleciammarughi.com/sdfgdsg1?
  35. http://autoecole-jeanlouis.com/sdfgdsg1?
  36. http://auto-ecole-prudence.com/sdfgdsg1?
  37. http://autoghinzani.it/sdfgdsg1?
  38. http://autogrand.perm.ru/sdfgdsg1?
  39. http://autoparts-24.de/sdfgdsg1?
  40. http://autopin.co.uk/sdfgdsg1?
  41. http://avallon-informatique.fr/sdfgdsg1?
  42. http://avarus.de/sdfgdsg1?
  43. http://avocats-france-maroc.com/sdfgdsg1?
  44. http://avra-beach.gr/sdfgdsg1?
  45.  
  46. The downoaded file is MSHTA file with embedded VBScript script that will download malware from:
  47.  
  48. Download sites, malware:
  49. http://aprendersalsa.com/nhg67r
  50. http://artegraf.org/nhg67r
  51. http://asheardontheradiogreens.com/nhg67r
  52. http://asuntomaailma.com/nhg67r
  53.  
  54. Malware:
  55. - encoded on download, SHA256 1e2fa559dda59ddc5136aef1fef1ba4dc7eae952fd1a4c22a6e1fbd127c98987, MD5 7e66515f482f756343182262ded57516
  56. - decode by XORing with XNgLF7ImvxpibFPLuwhGK8ZXfBCO3q68
  57. - decoded SHA256 2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4, MD5 58578c7b40de85473fa3ed61a8325531
  58. - VT: https://www.virustotal.com/file/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4/analysis/
  59. - HA: https://www.reverse.it/sample/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top