API tools faq
paste
Racco42

2017-07-21 TrickBot "Voice Message Attached"

Racco42
Jul 21st, 2017
2,637
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.61 KB | None | 0 0
raw download clone embed print report
  1. 2017-07-21: #TrickBot email phishing campaign "Voice Message Attached from NNNNNNNNNNN - name unavailable"
  2.  
  3. -------------------------------------------------------------------------------------------------------------
  4. From: <[email protected]>
  5. To: [REDACTED]
  6. Subject: Voice Message Attached from 01258898588 - name unavailable
  7. Date: Fri, 21 Jul 2017 09:58:01 -0200
  8.  
  9. Time: 21-Jul-2017 10:15:23
  10. Click attachment to listen to Voice Message
  11.  
  12. Attachment: 01258898588_1020422_553798.zip
  13. -------------------------------------------------------------------------------------------------------------
  14. - sender is [email protected]
  15. - subject is "Voice Message Attached from <11 digits> - name unavailable"
  16. - attached file "<11 digits>_<7 digits>_<6 digits>.zip" contains file "<11 digits>_<7 digits>_<6 digits>.wsf", which will donwload another downloader from:
  17.  
  18. Download sites, stage1
  19. http://ask3.com/sdfgdsg1?
  20. http://assieme.ch/sdfgdsg1?
  21. http://atc-academy.com/sdfgdsg1?
  22. http://atelier-2.ch/sdfgdsg1?
  23. http://atelier-kreft.de/sdfgdsg1?
  24. http://atolyekileroyunculari.com/sdfgdsg1?
  25. http://atrenz.de/sdfgdsg1?
  26. http://aube-genealogie.com/sdfgdsg1?
  27. http://audiotek.ca/sdfgdsg1?
  28. http://augsburger-maerchentheater.de/sdfgdsg1?
  29. http://aupaircol.com/sdfgdsg1?
  30. http://ausbildungscenter.net/sdfgdsg1?
  31. http://autobahnhexham.co.uk/sdfgdsg1?
  32. http://autobody.cciwest.net/sdfgdsg1?
  33. http://autocares-segui.com/sdfgdsg1?
  34. http://autoecoleciammarughi.com/sdfgdsg1?
  35. http://autoecole-jeanlouis.com/sdfgdsg1?
  36. http://auto-ecole-prudence.com/sdfgdsg1?
  37. http://autoghinzani.it/sdfgdsg1?
  38. http://autogrand.perm.ru/sdfgdsg1?
  39. http://autoparts-24.de/sdfgdsg1?
  40. http://autopin.co.uk/sdfgdsg1?
  41. http://avallon-informatique.fr/sdfgdsg1?
  42. http://avarus.de/sdfgdsg1?
  43. http://avocats-france-maroc.com/sdfgdsg1?
  44. http://avra-beach.gr/sdfgdsg1?
  45.  
  46. The downoaded file is MSHTA file with embedded VBScript script that will download malware from:
  47.  
  48. Download sites, malware:
  49. http://aprendersalsa.com/nhg67r
  50. http://artegraf.org/nhg67r
  51. http://asheardontheradiogreens.com/nhg67r
  52. http://asuntomaailma.com/nhg67r
  53.  
  54. Malware:
  55. - encoded on download, SHA256 1e2fa559dda59ddc5136aef1fef1ba4dc7eae952fd1a4c22a6e1fbd127c98987, MD5 7e66515f482f756343182262ded57516
  56. - decode by XORing with XNgLF7ImvxpibFPLuwhGK8ZXfBCO3q68
  57. - decoded SHA256 2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4, MD5 58578c7b40de85473fa3ed61a8325531
  58. - VT: https://www.virustotal.com/file/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4/analysis/
  59. - HA: https://www.reverse.it/sample/2c700512154df2924c8cdd22bce7d961e07a5317fcd3a969e94ec4eb14b4ffa4?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!