2017-07-18 TrickBot "Document / Invoice / Order""

1. 2017-07-20: #trickbot email phishing campaign "Document/Invoice/Order/Receipt/Scan"
2.  
3. ---------------------------------------------------------------------------------------------------------
4. From: "Park Royal Partnership" <[email protected]>
5. To: [REDACTED]
6. Subject: DOC
7. Date: Thu, 20 Jul 2017 15:40:54 +0530
8.  
9. Attachment: MX-2310U_20170720_836945.zip
10. ---------------------------------------------------------------------------------------------------------
11. - subject is one of: DOC, Document, Documents, Invoice, Order, Paper, Receipt, Scan or Scanned document
12. - email body is empty
13. - attached file "MX-2310U_20170720_<6 digits>.zip" contains file "doc000<17-18 digits>.vbs" which will download malware from:
14.  
15. Download sites:
16. http://ambrec.com/jhf8w743
17. http://amphibiousvehicle.eu/jhf8w743
18. http://ampiere.com/jhf8w743
19. http://anakha.net/jhf8w743
20. http://analisisreig.cat/jhf8w743
21. http://anderlaw.com/jhf8w743
22. http://anderson-hanson-blanton.com/jhf8w743
23. http://andreasparochie.net/jhf8w743
24. http://andresarlemijn.nl/jhf8w743
25. http://andrewlloydhousing.co.uk/jhf8w743
26. http://anfiris.com/jhf8w743
27. http://angelathomson.com/jhf8w743
28. http://angeldemon.com/jhf8w743
29. http://angelolicari.com/jhf8w743
30. http://animation-sarzeau.fr/jhf8w743
31. http://anliegergemeinschaft.de/jhf8w743
32. http://annalisamansutti.com/jhf8w743
33. http://annmcclean.co.uk/jhf8w743
34. http://annoncesdirectes.com/jhf8w743
35. http://antiquariat-kiemes.de/jhf8w743
36. http://antonellacrestani.it/jhf8w743
37. http://antwerpiastamps.be/jhf8w743
38. http://antwerpportshuttles.be/jhf8w743
39. http://anunturi-imobiliare-bucuresti.ro/jhf8w743
40. http://anunturi-imobiliare-cluj-napoca.ro/jhf8w743
41. http://anwaltskanzlei-geier.de/jhf8w743
42. http://aok-nordschwarzwald.de/jhf8w743
43. http://aoua.gr/jhf8w743
44. http://apartamente-brasov.ro/jhf8w743
45. http://apartamente-cluj-napoca.ro/jhf8w743
46. http://apartamente-regim-hotelier-cluj.ro/jhf8w743
47. http://apartamente-timisoara.ro/jhf8w743
48. http://aparthotelmontreal.com/jhf8w743
49. http://apbg-dubai.info/jhf8w743
50. http://apfonte.com/jhf8w743
51. http://apogenericos.com/jhf8w743
52. http://appartement-sailer.at/jhf8w743
53. http://appenzeller.fr/jhf8w743
54. http://applebrandstore.de/jhf8w743
55. http://appollovision.com/jhf8w743
56. http://aqle.fr/jhf8w743
57. http://arcana.es/jhf8w743
58. http://arc-conduite.com/jhf8w743
59. http://archburo-martens.be/jhf8w743
60. http://archiefopslag.org/jhf8w743
61. http://architekt-mauss.de/jhf8w743
62. http://arcipelagodelgusto.it/jhf8w743
63. http://ardrishaig.com/jhf8w743
64. http://argirosmarine.gr/jhf8w743
65. http://ar-inversiones.com/jhf8w743
66. http://armadio-meble.pl/jhf8w743
67. http://aros.ppa.pl/jhf8w743
68. http://art-city-perm.ru/jhf8w743
69. http://artfauna.de/jhf8w743
70.  
71.  
72. Malware:
73. - encoded on download, SHA256 65cc73f46936f110658152134a6922909802aad263c9b2c146f9e6e166259c39, MD5 9d281c4c2a9b5505ff0e68903546b255
74. - decode by XORing with "FKHL2wZZ8a2MhL2g23gnm9b5bqvfhcZE"
75. - decoded SHA256 ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d, MD5 c5cd1e0ad1dbd79b0123a0dd96259075
76. - VT: https://www.virustotal.com/en/file/ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d/analysis/1500543639/
77. - HA: https://www.reverse.it/sample/ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d?environmentId=100