SHARE
TWEET

2017-07-25 TrickBot "< No Subject >"

Racco42 Jul 25th, 2017 (edited) 1,119 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-25 #trickBot email phishing campaign "< No Subject >"
  2. Samples: 458
  3.  
  4. Email sample:
  5. -----------------------------------------------------------------------------------------------------------------------
  6. From: <notifications@in.telstra.com.au>
  7. To: [REDACTED]
  8. Subject: < No Subject >
  9. Date: Wed, 26 Jul 2017 01:57:26 +0300
  10.  
  11. Good Day,
  12.  
  13. Please see attached email bill request from May-July 2017.
  14.  
  15. Yours Sincerely,
  16. Sandy
  17. D354810
  18.  
  19. Attachment: May-July2017.zip
  20. -----------------------------------------------------------------------------------------------------------------------
  21. - sender is "notifications@in.telstra.com.au"
  22. - subject is "< No Subject >"
  23. - attached file "May-July2017.zip" contains file "<3 upcase letters>_ <11 digits>_<6 digits>.wsf", a which when executed will downaload 2nd stage downloader from:
  24.  
  25. Stage2 download sites:
  26. http://acomplia.orgfree.com/8?
  27. http://delicefilm.com/cgi-bin/10?
  28. http://dodawanie.com/1?
  29. http://esu-tech-saar.de/4?
  30. http://gala.noads.biz/2?
  31. http://huairou.com/3?
  32. http://kpalion.piwko.pl/12?
  33. http://mavisehirrotaract.org/cgi-bin/5?
  34. http://naturis.info/6?
  35.  
  36. Stage2 downloader is a MSHTA file containing VBScript downloader which will download malware from:
  37.  
  38. Malware download sites:
  39. http://1pointsix18.in/n3f7b
  40. http://eselink.com.my/n3f7b
  41. http://gotchawildlife.com/n3f7b
  42. http://infopoupees.com/n3f7b
  43. http://olsonlamaj.com/n3f7b
  44. http://potsdamer-strassenfest.de/n3f7b
  45. http://rencontre-rouen.com/n3f7b
  46. http://sakrabeskydy.wz.cz/n3f7b
  47. http://starsafety.net/n3f7b
  48. http://sunbrio.com/n3f7b
  49. http://thelaw.ae/n3f7b
  50. http://trominguatedrop.org/af/n3f7b
  51. http://wirbeldipf.ch/n3f7b
  52.  
  53. Malware:
  54. - encoded on download SHA256 932cc394f05ae536e98b9861bfc854251023809ae8099f2cb6af16c28f6300bd, MD5 e0aee94076700e1bcb6b9eac6121a9bb
  55. - decode by XORing with "ur43vUVcQMub86bdFOwgt1rZJjssOXNj"
  56. - decoded SHA256 b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13, MD5 90284b01fae8a932ca99767825568721
  57. - VT: https://www.virustotal.com/file/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13/analysis/1501024947/
  58. - HA: https://www.reverse.it/sample/b7a7d715f370142ddc6d1ba15f9f7377cda3995d4726874d4eeda24d4b9eff13?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top