Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT ATTRIBUTION: TA505
- SUBJECTS OBSERVED
- Pension certificates
- SENDERS OBSERVED
- Roger[.]Dickenson@3sref[.]com
- Roger[.]Dickenson@apsara[.]co[.]id
- Roger[.]Dickenson@buehler-velos[.]ch
- Roger[.]Dickenson@clearcutcomputing[.]com
- Roger[.]Dickenson@compedgesolutions[.]co[.]ke
- Roger[.]Dickenson@dec[.]fca[.]unam[.]mx
- Roger[.]Dickenson@deliveryproprio[.]com[.]br
- Roger[.]Dickenson@emsholdings[.]co[.]za
- Roger[.]Dickenson@extin[.]co[.]mz
- Roger[.]Dickenson@grauvogl[.]org
- Roger[.]Dickenson@jumbo-computer[.]com
- Roger[.]Dickenson@kntv[.]sumy[.]ua
- Roger[.]Dickenson@lakris[.]no
- Roger[.]Dickenson@manquehue[.]net
- Roger[.]Dickenson@narus-pass[.]com
- Roger[.]Dickenson@portersliquor[.]com[.]au
- Roger[.]Dickenson@radnoti-pecs[.]hu
- Roger[.]Dickenson@residenciapatricia[.]com
- Roger[.]Dickenson@santecite[.]fr
- Roger[.]Dickenson@sedelecstore[.]com
- Roger[.]Dickenson@spshimbun[.]com[.]br
- Roger[.]Dickenson@suncast[.]jp
- Roger[.]Dickenson@terek[.]hu
- Roger[.]Dickenson@weiskirchner[.]at
- MALDOC DISTRIBUTION URLS
- Opening the .html file points here - these are landing pages which then forward to dl[.]river-store (below) for a reCaptcha
- hxxp://archifaktura[.]hu/nfxdutl[.]html
- hxxp://www[.]davion[.]plus[.]com/iscyqz[.]html
- The reCaptcha and the .xls file downloads are located here:
- hxxps://dl[.]river-store[.]com/
- HTML FILE HASHES
- b603b63140b5616d13f289174fceb5a9
- 15ae6410dec574e473135186d552ecfc
- EXCEL FILE HASHES
- 28e8cbdfc88662203258c9c4145974bf
- 413288a05bb379241afd2d03b0dc5fe9
- 99c0efc023fae2d1db32c4d5691c68e7
- a7764976e7f996c514bc8bea58986070
- f3cf456f0717f432be76ec3408bc5050
- TA505 C2
- Traffic to:
- 23[.]163[.]0[.]37:443
- which resolves to:
- none-class[.]com
- SUPPORTING EVIDENCE
- hxxps://urlhaus[.]abuse[.]ch/url/427135/
Add Comment
Please, Sign In to add comment
