Racco42

2017-07-21 TrickBot "Voice Message Attached"

Jul 21st, 2017
2,637
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.61 KB | None | 0 0
  1. 2017-07-21: #TrickBot email phishing campaign "Voice Message Attached from NNNNNNNNNNN - name unavailable"
  2.  
  3. -------------------------------------------------------------------------------------------------------------
  4. To: [REDACTED]
  5. Subject: Voice Message Attached from 01258898588 - name unavailable
  6. Date: Fri, 21 Jul 2017 09:58:01 -0200
  7.  
  8. Time: 21-Jul-2017 10:15:23
  9. Click attachment to listen to Voice Message
  10.  
  11. Attachment: 01258898588_1020422_553798.zip
  12. -------------------------------------------------------------------------------------------------------------
  13. - sender is [email protected]
  14. - subject is "Voice Message Attached from <11 digits> - name unavailable"
  15. - attached file "<11 digits>_<7 digits>_<6 digits>.zip" contains file "<11 digits>_<7 digits>_<6 digits>.wsf", which will donwload another downloader from:
  16.  
  17. Download sites, stage1
  18. http://ask3.com/sdfgdsg1?
  19. http://assieme.ch/sdfgdsg1?
  20. http://atc-academy.com/sdfgdsg1?
  21. http://atelier-2.ch/sdfgdsg1?
  22. http://atelier-kreft.de/sdfgdsg1?
  23. http://atolyekileroyunculari.com/sdfgdsg1?
  24. http://atrenz.de/sdfgdsg1?
  25. http://aube-genealogie.com/sdfgdsg1?
  26. http://audiotek.ca/sdfgdsg1?
  27. http://augsburger-maerchentheater.de/sdfgdsg1?
  28. http://aupaircol.com/sdfgdsg1?
  29. http://ausbildungscenter.net/sdfgdsg1?
  30. http://autobahnhexham.co.uk/sdfgdsg1?
  31. http://autobody.cciwest.net/sdfgdsg1?
  32. http://autocares-segui.com/sdfgdsg1?
  33. http://autoecoleciammarughi.com/sdfgdsg1?
  34. http://autoecole-jeanlouis.com/sdfgdsg1?
  35. http://auto-ecole-prudence.com/sdfgdsg1?
  36. http://autoghinzani.it/sdfgdsg1?
  37. http://autogrand.perm.ru/sdfgdsg1?
  38. http://autoparts-24.de/sdfgdsg1?
  39. http://autopin.co.uk/sdfgdsg1?
  40. http://avallon-informatique.fr/sdfgdsg1?
  41. http://avarus.de/sdfgdsg1?
  42. http://avocats-france-maroc.com/sdfgdsg1?
  43. http://avra-beach.gr/sdfgdsg1?
  44.  
  45. The downoaded file is MSHTA file with embedded VBScript script that will download malware from:
  46.  
  47. Download sites, malware:
  48. http://aprendersalsa.com/nhg67r
  49. http://artegraf.org/nhg67r
  50. http://asheardontheradiogreens.com/nhg67r
  51. http://asuntomaailma.com/nhg67r
  52.  
  53. Malware:
  54. - encoded on download, SHA256 1e2fa559dda59ddc5136aef1fef1ba4dc7eae952fd1a4c22a6e1fbd127c98987, MD5 7e66515f482f756343182262ded57516
  55. - decode by XORing with XNgLF7ImvxpibFPLuwhGK8ZXfBCO3q68
  56. - decoded SHA256 2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4, MD5 58578c7b40de85473fa3ed61a8325531
  57. - VT: https://www.virustotal.com/file/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4/analysis/
  58. - HA: https://www.reverse.it/sample/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment