SHARE
TWEET

2017-07-24 TrickBot "Voice Message" and "blank"

Racco42 Jul 24th, 2017 (edited) 227 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-24: #trickbot email phishing campaign "Voice Message Attached from NNNNNNNNNNN - name unavailable"
  2. Samples: 687
  3.  
  4. Email sample:
  5. -------------------------------------------------------------------------------------------------------------------
  6. From: <vm0@shelleycox.co.uk>
  7. To: [REDACTED]
  8. Subject: Voice Message Attached from 01257745291 - name unavailable
  9. Date: Mon, 24 Jul 2017 17:29:35 +0700
  10.  
  11. Time: 21-Jul-2017 10:15:23
  12. Click attachment to listen to Voice Message
  13.  
  14. Attachment: 01257745291_0580299_826828.zip -> 01258861149_20170411_704952.wsf
  15. -------------------------------------------------------------------------------------------------------------------
  16. - sender address is vm<1-5 digits>@<domain>
  17. - subject is "Voice Message Attached from <11 digits> - name unavailable"
  18. - attached file "<11 digits>_<7 digits>_<6 digits>.zip" contains file "<11 digits>_<7 digits>_<6 digits>.wsf" which will download second stage downloader from:
  19.  
  20. Stage2 downloader sites:
  21. http://asozan.com/mllgkkei17?
  22. http://atelier-kreft.de/mllgkkei24?
  23. http://atc-academy.com/mllgkkei20?
  24. http://atmprotectiveservices.com.au/mllgkkei23?
  25. http://aupaircol.com/mllgkkei19?
  26. http://ausbildungscenter.net/mllgkkei14?
  27. http://auto-ecole-prudence.com/mllgkkei10?
  28. http://autobody.cciwest.net/mllgkkei21?
  29. http://autocares-segui.com/mllgkkei15?
  30. http://autoecoleciammarughi.com/mllgkkei12?
  31. http://autoecole-jeanlouis.com/mllgkkei11?
  32. http://autoghinzani.it/mllgkkei16?
  33. http://autogrand.perm.ru/mllgkkei13?
  34. http://autoparts-24.de/mllgkkei2?
  35. http://avallon-informatique.fr/mllgkkei18?
  36. http://avra-beach.gr/mllgkkei22?
  37.  
  38. Malware download sites:
  39. http://angielam.com/378fh3
  40. http://apparelsave.com/378fh3
  41. http://arbeidspassie.nl/378fh3
  42. http://arquison2008.com/378fh3
  43. http://ars89.net/378fh3
  44. http://artazaromo.com/378fh3
  45. http://artcafe.stargard.com.pl/378fh3
  46. http://artdeco-repro.com/378fh3
  47. http://artigianatorusso.com/378fh3
  48. http://artplast.uz/378fh3
  49. http://arttouseit.ro/378fh3
  50. http://artwater.es/378fh3
  51. http://aryantech.com.my/378fh3
  52. http://ascensions.fr/378fh3
  53. http://asesoreszapico.com/378fh3
  54. http://asheardontheradiogreens.com/378fh3
  55. http://ashtangayogabcn.com/378fh3
  56. http://asianart.uz/378fh3
  57. http://aslan-natursteine.de/378fh3
  58. http://asliozturk.com/378fh3
  59. http://aspensunrise.com/378fh3
  60. http://assiemme.it/378fh3
  61. http://associacioaurora.org/378fh3
  62. http://associazioneignis.it/378fh3
  63. http://astrid-kerber.de/378fh3
  64. http://astrologie-forum.info/378fh3
  65. http://athleteatwork.co.uk/378fh3
  66. http://atn.de/378fh3
  67.  
  68. Malware:
  69. - encoded on download, SHA256 626b30c22ac35f2bc371c4989ce2b1d435d44d0c86d0e9009b33c852ebc67976, MD5 78020fe348ba9ce40807f60e8375dd51
  70. - decode by XORing with "J5Z774rKPlS5pGrB047O9DZbH6FR2C3l"
  71. - decoded SHA256 5da46c563f10b51d21cb2755388753eb4d154c6605e0bf89759cae830c376224, MD5 d113359f92fce6d110bd840b72eec213
  72. - VT: https://www.virustotal.com/en/file/5da46c563f10b51d21cb2755388753eb4d154c6605e0bf89759cae830c376224/analysis/1500895222/
  73. - HA: https://www.reverse.it/sample/5da46c563f10b51d21cb2755388753eb4d154c6605e0bf89759cae830c376224?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top