API tools faq
paste
Racco42

2017-09-04 GlobeImposter "True Telecom Invoice"

Racco42
Sep 4th, 2017
4,420
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.57 KB | None | 0 0
raw download clone embed print report
  1. 2017-09-04 #globeimposter email phishing campaign "True Telecom Invoice"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------
  5. From: [email protected]
  6. To: [REDACTED]
  7. Subject: 59922362 - True Telecom Invoice for August 2017
  8. Date: Mon, 04 Sep 2017 17:46:39 +0430
  9.  
  10. Dear Deborah Day
  11.  
  12. We have attached your latest True Telecom bill for August 2017.
  13. View your bill online
  14.  
  15. To be able to read your invoice file you will require the Adobe Acrobat PDF viewer. You August already have this installed,
  16. if not please visit the Adobe website and download their free viewer.
  17.  
  18. Payments made by direct debit will be collected 14 days from the date of the Bill.
  19.  
  20. If you wish to contact us, please do not hesitate to get in touch with one of our friendly customer services agents.
  21.  
  22. Telephone: 0800 840 40 60
  23. Fax: 0844 779 2253
  24. Email: [email protected]
  25.  
  26. Please be advised that this is an unmonitored email address.
  27.  
  28. With Kind Regards,
  29.  
  30. The True Telecom Team
  31. www.True-Telecom.com
  32.  
  33.  
  34. True Telecom Ltd is registered in England and Wales No. 08225783.
  35. Head Office address: Ground Floor,Lakeview West, Galleon Boulevard, Crossways Business Park, Dartford, Kent, DA2 6QE
  36.  
  37. This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and August contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. The Company only guarantees service in accordance with the service charter. The company accepts no liability for failure of hardware after the termination point. For the purposes of this E-Mail "the Company" is the trading name of True Telecom Ltd. True Telecom Ltd (Registered in England & Wales No. 08225783)
  38.  
  39. Attachment: 2017-08-51237335-Bill.7z ->
  40. -----------------------------------------------------------------------------------------------------------------------
  41. - sender is [email protected]
  42. - subject is <8 digits> - True Telecom Invoice for August 2017
  43. - body is in HTML format and contains link to file with downloader which is same as the one in attachment
  44. - attached file "2017-08-<8 digits>-Bill.7z" contains file "2017-08-<8 digits>-Bill.vbs", a VBScript downloader which will download from:
  45.  
  46. Downloader download sites:
  47. http://aac-autoecole.com/2017-08-42007004-Bill.7z
  48. http://activ-conduite.eu/2017-08-42007004-Bill.7z
  49. http://autoecolecarnot.com/2017-08-42007004-Bill.7z
  50. http://montessibooks.com/2017-08-42007004-Bill.7z
  51. http://pack-lines.com/2017-08-42007004-Bill.7z
  52. http://red-dead.fr/2017-08-42007004-Bill.7z
  53. http://rogames.ro/2017-08-42007004-Bill.7z
  54. http://studiotoscanosrl.it/2017-08-42007004-Bill.7z
  55. http://toubelis.gr/2017-08-42007004-Bill.7z
  56. http://ventadepajaros.es/2017-08-42007004-Bill.7z
  57. http://villasbarcelona.org/2017-08-42007004-Bill.7z
  58. http://weekendjevliegen.nl/2017-08-42007004-Bill.7z
  59.  
  60. Malware download sites:
  61. http://aquavista.org.nz/JIKJHgft
  62. http://awholeblueworld.com/JIKJHgft
  63. http://cabbiemail.com/JIKJHgft
  64. http://geolearner.com/JIKJHgft
  65. http://handhi.com/JIKJHgft
  66. http://hexacam.com/JIKJHgft
  67. http://jimaylor.net/JIKJHgft
  68. http://m-tensou.net/JIKJHgft
  69. http://n1xua.com/JIKJHgft
  70. http://naturofind.org/p66/JIKJHgft
  71. http://proyectogambia.com/JIKJHgft
  72. http://world-tour2000.com/JIKJHgft
  73.  
  74. Malware:
  75. - encoded on download, SHA256: 4b1097886cde91d2c4d66fdb53e446d94e34d692fbbd2b5475a065c5c30a901e, MD5: 3134ff6529ef055b232452e3f29bdece
  76. - decode by XORing with "XdSk4gxRmVKXKBlRXHLa29VxIpIIegBH"
  77. - decoded SHA256: bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47, MD5: 6b456cff688be4715e6456cf12c64939
  78. - VT: https://www.virustotal.com/en/file/bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47/analysis/1504531635/
  79. - HA: https://www.reverse.it/sample/bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!