Racco42

2017-07-25 TrickBot "< No Subject >"

Jul 25th, 2017
1,238
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-25 #trickBot email phishing campaign "< No Subject >"
  2. Samples: 458
  3.  
  4. Email sample:
  5. -----------------------------------------------------------------------------------------------------------------------
  6. From: <notifications@in.telstra.com.au>
  7. To: [REDACTED]
  8. Subject: < No Subject >
  9. Date: Wed, 26 Jul 2017 01:57:26 +0300
  10.  
  11. Good Day,
  12.  
  13. Please see attached email bill request from May-July 2017.
  14.  
  15. Yours Sincerely,
  16. Sandy
  17. D354810
  18.  
  19. Attachment: May-July2017.zip
  20. -----------------------------------------------------------------------------------------------------------------------
  21. - sender is "notifications@in.telstra.com.au"
  22. - subject is "< No Subject >"
  23. - attached file "May-July2017.zip" contains file "<3 upcase letters>_ <11 digits>_<6 digits>.wsf", a which when executed will downaload 2nd stage downloader from:
  24.  
  25. Stage2 download sites:
  26. http://acomplia.orgfree.com/8?
  27. http://delicefilm.com/cgi-bin/10?
  28. http://dodawanie.com/1?
  29. http://esu-tech-saar.de/4?
  30. http://gala.noads.biz/2?
  31. http://huairou.com/3?
  32. http://kpalion.piwko.pl/12?
  33. http://mavisehirrotaract.org/cgi-bin/5?
  34. http://naturis.info/6?
  35.  
  36. Stage2 downloader is a MSHTA file containing VBScript downloader which will download malware from:
  37.  
  38. Malware download sites:
  39. http://1pointsix18.in/n3f7b
  40. http://eselink.com.my/n3f7b
  41. http://gotchawildlife.com/n3f7b
  42. http://infopoupees.com/n3f7b
  43. http://olsonlamaj.com/n3f7b
  44. http://potsdamer-strassenfest.de/n3f7b
  45. http://rencontre-rouen.com/n3f7b
  46. http://sakrabeskydy.wz.cz/n3f7b
  47. http://starsafety.net/n3f7b
  48. http://sunbrio.com/n3f7b
  49. http://thelaw.ae/n3f7b
  50. http://trominguatedrop.org/af/n3f7b
  51. http://wirbeldipf.ch/n3f7b
  52.  
  53. Malware:
  54. - encoded on download SHA256 932cc394f05ae536e98b9861bfc854251023809ae8099f2cb6af16c28f6300bd, MD5 e0aee94076700e1bcb6b9eac6121a9bb
  55. - decode by XORing with "ur43vUVcQMub86bdFOwgt1rZJjssOXNj"
  56. - decoded SHA256 b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13, MD5 90284b01fae8a932ca99767825568721
  57. - VT: https://www.virustotal.com/file/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13/analysis/1501024947/
  58. - HA: https://www.reverse.it/sample/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13?environmentId=100
RAW Paste Data