2017-07-24 TrickBot "Invoice# ADxxx"

1. 2017-07-24: #TrickBot email phishing campaigns "Invoice# ADxxx" and "Order"
2. Samples: 2 + 2
3.  
4. Email sample 1:
5. -------------------------------------------------------------------------------------------------------------------------------
6. From: Tara thwaits <Tara@chrisnaylor.net>
7. To: [REDACTED]
8. Subject: Invoice# AD996
9. Date: Tue, 25 Jul 2017 05:32:10 +0700
10.  
11. Dear Customer
12. Invoice# AD996 is attached and ready for payment.
13.  
14. *Due to the time frame requests made on this order the payment terms have been lifted to ensure goods are completed and ready for dispatch by Sunday 30th July 2017.Please make payment at your earliest convenience to ensure an immediate release of goods.
15. Any queries please call 0438 504 726.
16. Regards Tara thwaits
17.  
18. Attachment: Invoice# AD996.zip
19. -------------------------------------------------------------------------------------------------------------------------------
20. - sender is random
21. - subject is "Invoice# AD<3 digits>"
22. - attachment "Invoice# ADxxx.zip" contains file "01258861149_20170411_<6 digits>.wsf" which will download second stage downloader
23.  
24. Email sample 2:
25. -------------------------------------------------------------------------------------------------------------------------------
26. From: "Jodie pickup" <Jodie@rsenergies.com>
27. To: [REDACTED]
28. Subject: Order
29. Date: Tue, 25 Jul 2017 04:21:50 +0530
30.  
31. Attachment: MX-2310U_20170725_042150.zip
32. -------------------------------------------------------------------------------------------------------------------------------
33. - sender is random
34. - subject is "Order"
35. - body is empty
36. - attachment "MX-2310U_2017072<4 or 5>_<6 digits>.zip" contains file "01258861149_20170411_<6 digits>.wsf" which will download second stage downloader:
37.  
38. Stage2 download sites:
39. http://51jinshui.com/kklsdhv17?
40. http://clicburkina.com/kklsdhv16?
41. http://sedimohassel.com/kklsdhv15?
42. http://twdrei.de/kklsdhv21?
43.  
44. Second stage downloader is MS HTA file that contains VBScript downloader, which gets malware from:
45.  
46. Malware download sites:
47. http://abenethigherclinic.com/7regcbw
48. http://guangyiwuliu.com/7regcbw
49. http://klausstagis.dk/7regcbw
50. http://remkvartir.com/7regcbw
51. http://rockgarden.co.th/7regcbw
52. http://snnftp.com/7regcbw
53. http://songtinmungtinhyeu.org/7regcbw
54. http://spasinski.pl/7regcbw
55. http://tamilgags.com/7regcbw
56. http://wesleychristianschool.org/7regcbw
57.  
58.  
59. Malware:
60. - encoded on download, SHA256 87dcc473c4cb195b02d9fbf3665d42f3ec84cbd02f0da12f26b1adeb227514fb, MD5 7ba257b37b2d82fa137617bebcf07b05
61. - decode by XORing with "A4lN6elPYD6DBelKQDJeL6IxVTy1irSb"
62. - decoded SHA256 0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d, MD5 885d2852faad6c7a1b0b796047ddced7
63. - VT: https://www.virustotal.com/file/0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d/analysis/1500958206/
64. - HA: https://www.reverse.it/sample/0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d?environmentId=100