SHARE
TWEET

2017-07-24 TrickBot "Invoice# ADxxx"

Racco42 Jul 25th, 2017 (edited) 855 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-07-24: #TrickBot email phishing campaigns "Invoice# ADxxx" and "Order"
  2. Samples: 2 + 2
  3.  
  4. Email sample 1:
  5. -------------------------------------------------------------------------------------------------------------------------------
  6. From: Tara thwaits <Tara@chrisnaylor.net>
  7. To: [REDACTED]
  8. Subject: Invoice# AD996
  9. Date: Tue, 25 Jul 2017 05:32:10 +0700
  10.  
  11. Dear Customer
  12. Invoice# AD996 is attached and ready for payment.
  13.  
  14. *Due to the time frame requests made on this order the payment terms have been lifted to ensure goods are completed and ready for dispatch by Sunday 30th July 2017.Please make payment at your earliest convenience to  ensure an immediate release of goods.
  15. Any queries please call 0438 504 726.
  16. Regards Tara thwaits
  17.  
  18. Attachment: Invoice# AD996.zip
  19. -------------------------------------------------------------------------------------------------------------------------------
  20. - sender is random
  21. - subject is "Invoice# AD<3 digits>"
  22. - attachment "Invoice# ADxxx.zip" contains file "01258861149_20170411_<6 digits>.wsf" which will download second stage downloader
  23.  
  24. Email sample 2:
  25. -------------------------------------------------------------------------------------------------------------------------------
  26. From: "Jodie pickup" <Jodie@rsenergies.com>
  27. To: [REDACTED]
  28. Subject: Order
  29. Date: Tue, 25 Jul 2017 04:21:50 +0530
  30.  
  31. Attachment: MX-2310U_20170725_042150.zip
  32. -------------------------------------------------------------------------------------------------------------------------------
  33. - sender is random
  34. - subject is "Order"
  35. - body is empty
  36. - attachment "MX-2310U_2017072<4 or 5>_<6 digits>.zip" contains file "01258861149_20170411_<6 digits>.wsf" which will download second stage downloader:
  37.  
  38. Stage2 download sites:
  39. http://51jinshui.com/kklsdhv17?
  40. http://clicburkina.com/kklsdhv16?
  41. http://sedimohassel.com/kklsdhv15?
  42. http://twdrei.de/kklsdhv21?
  43.  
  44. Second stage downloader is MS HTA file that contains VBScript downloader, which gets malware from:
  45.  
  46. Malware download sites:
  47. http://abenethigherclinic.com/7regcbw
  48. http://guangyiwuliu.com/7regcbw
  49. http://klausstagis.dk/7regcbw
  50. http://remkvartir.com/7regcbw
  51. http://rockgarden.co.th/7regcbw
  52. http://snnftp.com/7regcbw
  53. http://songtinmungtinhyeu.org/7regcbw
  54. http://spasinski.pl/7regcbw
  55. http://tamilgags.com/7regcbw
  56. http://wesleychristianschool.org/7regcbw
  57.  
  58.  
  59. Malware:
  60. - encoded on download, SHA256 87dcc473c4cb195b02d9fbf3665d42f3ec84cbd02f0da12f26b1adeb227514fb, MD5 7ba257b37b2d82fa137617bebcf07b05
  61. - decode by XORing with "A4lN6elPYD6DBelKQDJeL6IxVTy1irSb"
  62. - decoded SHA256 0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d, MD5 885d2852faad6c7a1b0b796047ddced7
  63. - VT: https://www.virustotal.com/file/0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d/analysis/1500958206/
  64. - HA: https://www.reverse.it/sample/0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top