Racco42

2017-07-21 TrickBot "Voice Message Attached"

Jul 21st, 2017
950
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-21: #TrickBot email phishing campaign "Voice Message Attached from NNNNNNNNNNN - name unavailable"
  2.  
  3. -------------------------------------------------------------------------------------------------------------
  4. From: <vm@unlimitedhorizon.co.uk>
  5. To: [REDACTED]
  6. Subject: Voice Message Attached from 01258898588 - name unavailable
  7. Date: Fri, 21 Jul 2017 09:58:01 -0200
  8.  
  9. Time: 21-Jul-2017 10:15:23
  10. Click attachment to listen to Voice Message
  11.  
  12. Attachment: 01258898588_1020422_553798.zip
  13. -------------------------------------------------------------------------------------------------------------
  14. - sender is vm@unlimitedhorizon.co.uk
  15. - subject is "Voice Message Attached from <11 digits> - name unavailable"
  16. - attached file "<11 digits>_<7 digits>_<6 digits>.zip" contains file "<11 digits>_<7 digits>_<6 digits>.wsf", which will donwload another downloader from:
  17.  
  18. Download sites, stage1
  19. http://ask3.com/sdfgdsg1?
  20. http://assieme.ch/sdfgdsg1?
  21. http://atc-academy.com/sdfgdsg1?
  22. http://atelier-2.ch/sdfgdsg1?
  23. http://atelier-kreft.de/sdfgdsg1?
  24. http://atolyekileroyunculari.com/sdfgdsg1?
  25. http://atrenz.de/sdfgdsg1?
  26. http://aube-genealogie.com/sdfgdsg1?
  27. http://audiotek.ca/sdfgdsg1?
  28. http://augsburger-maerchentheater.de/sdfgdsg1?
  29. http://aupaircol.com/sdfgdsg1?
  30. http://ausbildungscenter.net/sdfgdsg1?
  31. http://autobahnhexham.co.uk/sdfgdsg1?
  32. http://autobody.cciwest.net/sdfgdsg1?
  33. http://autocares-segui.com/sdfgdsg1?
  34. http://autoecoleciammarughi.com/sdfgdsg1?
  35. http://autoecole-jeanlouis.com/sdfgdsg1?
  36. http://auto-ecole-prudence.com/sdfgdsg1?
  37. http://autoghinzani.it/sdfgdsg1?
  38. http://autogrand.perm.ru/sdfgdsg1?
  39. http://autoparts-24.de/sdfgdsg1?
  40. http://autopin.co.uk/sdfgdsg1?
  41. http://avallon-informatique.fr/sdfgdsg1?
  42. http://avarus.de/sdfgdsg1?
  43. http://avocats-france-maroc.com/sdfgdsg1?
  44. http://avra-beach.gr/sdfgdsg1?
  45.  
  46. The downoaded file is MSHTA file with embedded VBScript script that will download malware from:
  47.  
  48. Download sites, malware:
  49. http://aprendersalsa.com/nhg67r
  50. http://artegraf.org/nhg67r
  51. http://asheardontheradiogreens.com/nhg67r
  52. http://asuntomaailma.com/nhg67r
  53.  
  54. Malware:
  55. - encoded on download, SHA256 1e2fa559dda59ddc5136aef1fef1ba4dc7eae952fd1a4c22a6e1fbd127c98987, MD5 7e66515f482f756343182262ded57516
  56. - decode by XORing with XNgLF7ImvxpibFPLuwhGK8ZXfBCO3q68
  57. - decoded SHA256 2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4, MD5 58578c7b40de85473fa3ed61a8325531
  58. - VT: https://www.virustotal.com/file/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4/analysis/
  59. - HA: https://www.reverse.it/sample/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4?environmentId=100
RAW Paste Data