malware_traffic

2019-03-04 - #Emotet #malspam example

Mar 4th, 2019
1,209
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-03-04 - EMOTET MALSPAM EXAMPLE (SANITIZED AND DE-FANGED)
  2.  
  3. Received: from [66.147.242.129] ([66.147.242.129:34581] helo=gateway8.unifiedlayer.com)
  4. by [removed] (envelope-from <taisha@midcderm.com>) [removed];
  5. Mon, 04 Mar 2019 16:13:51 -0500
  6. Received: from cm3.websitewelcome.com (unknown [108.167.139.23])
  7. by gateway8.unifiedlayer.com (Postfix) with ESMTP id 10B6D200DB1D1
  8. for [removed]; Mon, 4 Mar 2019 15:13:51 -0600 (CST)
  9. Received: from shared43.accountservergroup.com ([162.215.248.200])
  10. by cmsmtp with ESMTP
  11. id 0uuEhN60pS1Lj0uuEhivXG; Mon, 04 Mar 2019 15:13:51 -0600
  12. X-Authority-Reason: nr=8
  13. DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
  14. d=midcderm.com; s=default; h=Content-Type:MIME-Version:Subject:Message-Id:To:
  15. From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
  16. Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
  17. :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
  18. List-Subscribe:List-Post:List-Owner:List-Archive;
  19. bh=n3cDFLTslz14oZxIoOo1JgXBNS30hkQQe47MV/NHM8I=; b=dKdxZT7GeCecqOOKoXI/Q/aAFM
  20. y2kqWSGbaCTYZyI3Lpxnfa/TK19B6fpPuz83OKbZNY9LHfP+fPj7bWtws1HSvH5kBFbbe9kftuoXE
  21. eKdHlqWeXdq0x5Wuyyn2lXR+Ty37lP610jSMx5I/5IoKBmvsnUmrauewcuh05LE77sgJIn1EKCd49
  22. MgoQGdh4HDmp2dUCvunjNdhwsqBT+VfIyug6MlASH4eZP04yfgSZXWTcxfB/s62nsXzSYl5b1UOST
  23. tjzQyvz1aBjhqISTmskxmYCJLQCSqCWo5RV658qQVSLBimpXnz7Abi9OYAGc/4z+IfO8RbT4hCY1d
  24. Pn74qWOw==;
  25. Received: from 24-35-181-43.fidnet.com ([24.35.181.43]:56906 helo=[192.11.22.43])
  26. by shared43.accountservergroup.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
  27. (Exim 4.91)
  28. (envelope-from <taisha@midcderm.com>)
  29. id 1h0uuE-0005mH-B6
  30. for [removed]; Mon, 04 Mar 2019 15:13:50 -0600
  31. Date: Mon, 04 Mar 2019 15:16:20 -0600
  32. From: [spoofed name] <taisha@midcderm.com>
  33. To: [removed]
  34. Message-Id: <78PDzT7slrrq7FUN9YKo0PCOl8Rq4lI2yNhpkVGvnUtGqFTEWOt@[recipient's email domain]>
  35. Subject: COMET SIGNS PAYMENT NOTIFICATION 03.04.2019
  36. MIME-Version: 1.0
  37. Content-Type: multipart/alternative; boundary="----=_Part_22065_1215143116.14059283682861730824"
  38.  
  39. ------=_Part_22065_1215143116.14059283682861730824
  40. Content-Type: text/html; charset=UTF-8
  41. Content-Transfer-Encoding: quoted-printable
  42.  
  43. <html>
  44. <body>
  45. <font color=3D'black' size=3D'2' face=3D'Arial, Helvetica, sans-serif'><br>=
  46.  
  47. =0DWe wish to advise with attached that we wired on 03.04.19.<br>=0DUSD 2,2=
  48. 51.97 being settlement of outstanding invoices.<br><br>=0DKindly confirm r=
  49. eceipt of funds.<br><br>
  50.  
  51. <a href=3D"hxxp://salonfrancois[.]com/cgi-bin/yd2sf-vaa20-hwavd.view/">hxxp=
  52. ://salonfrancois[.]com/cgi-bin/yd2sf-vaa20-hwavd.view/</a>
  53. <br><br>
  54. <div style=3D"clear:both">
  55. <div><font color=3D"black" face=3D"arial" size=3D"2">Best regards,</font></=
  56. div>
  57. =20
  58. <div><font color=3D"black" face=3D"arial" size=3D"2"></font>&nbsp;</div>
  59. =20
  60. <div><font color=3D"red" face=3D"arial" size=3D"2">
  61. <br>
  62. <i>[spoofed sender's name]</i><br>
  63. <i>[spoofed sender's email address]</i><br></font></div>
  64. </div>
  65. </div>
  66. </font>
  67. </body>
  68. </html>
  69. ------=_Part_22065_1215143116.14059283682861730824
  70. Content-Type: text/plain; charset=UTF-8
  71. Content-Transfer-Encoding: quoted-printable
  72.  
  73. =0DI was wondering if you have a scheduled payment date for this Invoice.
  74.  
  75. hxxp://salonfrancois[.]com/cgi-bin/yd2sf-vaa20-hwavd.view/
  76.  
  77.  
  78.  
  79.  
  80. I look foward to hearing from you.
  81.  
  82.  
  83.  
  84. [spoofed sender's name]=0DPhone (Cell): =0D955-676-4751 =0DPhone (Home): =0D955-6=
  85. 76-4720=0DEMail:[spoofed sender's email address]
  86. ------=_Part_22065_1215143116.14059283682861730824--
RAW Paste Data