Ledger Nano X - The secure hardware wallet
SHARE
TWEET

2020-04-17: Trickbot gtag ono38 from password-protected XLS

malware_traffic Apr 17th, 2020 2,023 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-04-17 - MALSPAM WITH PASSWORD-PROTECTED XLS ATTACHMENTS PUSHES TRICKBOT GTAG ONO38
  2.  
  3. EXAMPLES OF THE ATTACHMENTS:
  4.  
  5. - 0c1feebda781b4bf6528427d43704d1bc2e7b39169f7811dc18505825a7f1ba1  DOC-1__1112.xls
  6. - 2a4e322125e34daf6eee61f5fd0f3a9c07421f058b046ee700f28d65a98c6140  DOC-1__971.xls
  7. - 2e6ca2c90fbce4efc0e2d0dc5988554e3c200bd4d5d381925a3b917eb62a197e  DOC-1__312.xls
  8. - 488d0c32e2c96fbeb7801d08cefc555a07abbfc4f1b5e952a612b0c029ef2f11  DOC-1_179.xls
  9. - 54f8cf240f312c029540d0daff91a0b4959b90f2eb103f3f232ec71c18df4f3f  AMD_02_1808.xls
  10. - 64f6f90d17a2b2f4c7a089c8d5175a6706a9a9c7ae1fe517d785d914f1b1fb3e  AMD_02_1577.xls
  11. - 6596b48af0381a59ce8a2e6105427948e348337401dbcbf1de79494cb6eae80c  DOC-1__794.xls
  12. - 6c17901a4f11e82de3244e2a0d61e3af01d605ec4160558d0cc06a4f7bf6fcfd  AMD_02_1484.xls
  13. - a10814d7bc9babcb3410d4ab0908f027fc9c2a529be91ed1522ca073756a014f  AMD_02_2467.xls
  14. - b939ebcfa526308b4952fcbd26dd40ba9131995d93ff6ea286fda68bbead8ddb  DOC-1__189.xls
  15. - d630d699d68538a8153f5bc31aa333dc4a837a1b4aadead3979ca0cd88600b2b  DOC-1__207.xls
  16. - dd7f014663098403cf5fbea89a22dfe2c13c52e73ef25eb066315bfdad065479  AMD_02_2624.xls
  17.  
  18. NOTE:
  19.  
  20. - For the above files, the password is: apr17
  21.  
  22. URL FOR TRICKBOT EXE (GTAG ONO38) AFTER ENABLING XLS MACROS:
  23.  
  24. - hxxps://mitsui-jyuku[.]mixh[.]jp/uploads/rooky.php
  25.  
  26. TRICKBOT EXE (GTAG ONO38):
  27.  
  28. - 1771251db0764c8bd2a203ffaca932b685236255c23cd60e11a0c7d246cb87cf
  29. - 19bb363f39d3cc5512494a601fc9a78d9336dd70695df4ad4178f3d4361ce79a
  30. - 2c9d552a7121900f366c09adcb6dccfb4967248bc19d8eb90d4c8fa128a883a8
  31. - dfc4890b72d1759141362ceb52859f9affd38182bbc2f32b6bd9b8ce2c93af48
  32. - eb1298b79b05b420cf831d2ad7270a714a9a74c6371a7fc9b26d940c7bdc4ea6
  33.  
  34. INFO FROM EMAIL EXAMPLE:
  35.  
  36. Received: from smtp.smtpout.orange.fr ([80.12.242.126]) by [removed] for [removed];
  37.           Fri, 17 Apr 2020 11:40:17 -0700
  38. Received: from wwinf1u35 ([10.223.74.109])
  39.     by mwinf5d08 with ME
  40.     id TugB2200S2MUzoS03ugB7n; Fri, 17 Apr 2020 20:40:11 +0200
  41. Reply-To: "Mark Baker" <bea.quentin@orange.fr>
  42. From: "Mark Baker" <bea.quentin@orange.fr>
  43. To: [removed]
  44. Subject: Insurance 44452
  45. Date: Fri, 17 Apr 2020 14:40:11 -0400
  46. Message-ID: <297480736.20627.1587148811263.JavaMail.www@wwinf1u35>
  47. MIME-Version: 1.0
  48. Content-Type: multipart/mixed;
  49.     boundary="----=_NextPart_000_0064_01D614D1.A86F11A0"
  50. X-Mailer: Microsoft Outlook 16.0
  51. Thread-Index: AQFi8OW5P4UzPtlW779XdZkCzmMSMQ==
  52.  
  53. This is a multipart message in MIME format.
  54.  
  55. ------=_NextPart_000_0064_01D614D1.A86F11A0
  56. Content-Type: multipart/alternative;
  57.     boundary="----=_NextPart_001_0065_01D614D1.A86F11A0"
  58.  
  59.  
  60. ------=_NextPart_001_0065_01D614D1.A86F11A0
  61. Content-Type: text/plain;
  62.     charset="UTF-8"
  63. Content-Transfer-Encoding: 7bit
  64.  
  65. See enclosed #44452/44452 valid certificate.
  66.  
  67.  
  68. Current password: apr17
  69.  
  70.  
  71.  
  72. ------=_NextPart_001_0065_01D614D1.A86F11A0
  73. Content-Type: text/html;
  74.     boundary="----=_Part_20625_582389572.1587148811258";
  75.     charset="UTF-8"
  76. Content-Transfer-Encoding: quoted-printable
  77.  
  78. <div class style=3D"font-family:garamond, new york, times, =
  79. serif;font-size:13px;"><div class=3D3D"" style=3D3D"line-height: 1.15;"> =
  80. <span style=3D"font-family:'Verdana' , =
  81. sans-serif;font-size:16px;font-weight:bold">See enclosed #44452/44452 =
  82. valid certificate.<br>  <p>Current password: <b>apr17</b> </div>
  83. <br></div>
  84. ------=_NextPart_001_0065_01D614D1.A86F11A0--
  85.  
  86. ------=_NextPart_000_0064_01D614D1.A86F11A0
  87. Content-Type: application/octet-stream;
  88.     name="AMD_02_2624.xls"
  89. Content-Transfer-Encoding: base64
  90. Content-Disposition: attachment;
  91.     filename="AMD_02_2624.xls"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top