SHARE
TWEET

2019-10-03 - Netsupport RAT malspam campaign

malware_traffic Oct 4th, 2019 1,022 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. DATE:
  2.  
  3. - As early as Thursday 2019-10-03
  4.  
  5. DESCRIPTION:
  6.  
  7. - FedEx-themed malspam used to distribute Netsupport RAT.
  8.  
  9. SOME OF THE EMAIL SUBJECTS:
  10.  
  11. - Subject: Fedex delivery failure
  12. - Subject: Fedex delivery notification
  13. - Subject: Fedex delivery problem
  14. - Subject: Urgent Fedex  delivery notification
  15.  
  16. SOME OF THE SENDING ADDRESSES (PROBABABLY SPOOFED):
  17.  
  18. - From: fedex.delivery.alerts@homebestfun.com
  19. - From: fedex.notifications@celgrundy.icu
  20. - From: fedex.notifications@clois.icu
  21. - From: fedex.notifications@cmelanie.icu
  22. - From: fedex.notifications@reiren.icu
  23. - From: info@fedexcn.org
  24.  
  25. SOME LINKS FROM THE EMAILS:
  26.  
  27. - hxxps://diezeitinsel[.]de/fedex.php
  28. - hxxps://jrunlimited[.]com/fedex.php
  29. - hxxps://pitchseed[.]com/fedex.php
  30. - hxxps://prestigefg[.]com/fedex.php
  31. - hxxps://squareonerenovationsinc[.]com/fedex.php
  32. - hxxps://www.isleeku[.]com/fedex.php
  33. - hxxps://www.shakeraleighbeauty[.]com/fedex.php
  34.  
  35. ALL OF THE ABOVE LINKS REDIRECT TO THE FOLLOWING EMAIL CHAIN:
  36.  
  37. - hxxps://mydropboxfiles[.]com/
  38. - hxxps://dropboxfiles[.]net/download/gBNksCv/
  39. - hxxps://dropboxfiles[.]net/download/gBNksCv/?file=form.hta&id=46
  40.  
  41. WHICH DROPS THE FOLLOWING HTA FILE:
  42.  
  43. - SHA256 hash: 466f848ac9dab1bf97abf2815506c443acc73204a822d68b66c44390e642964f
  44. - File size: 4,284 bytes
  45. - File name: form.hta
  46. - File location: hxxps://dropboxfiles[.]net/download/gBNksCv/?file=form.hta&id=46
  47. - File description: HTA file to infect a Windows host with Netsupport RAT
  48.  
  49. THE ABOVE HTA FILE GENERATES THE FOLLOWING INFECTION TRAFFIC:
  50.  
  51. - hxxp://185.225.17[.]53/form.msi
  52. - hxxp://185.225.19[.]35/fakeurl.htm
  53. - hxxp://geo.netsupportsoftware[.]com/location/loca.asp
  54.  
  55. NETSUPPORT RAT INSTALLER:
  56.  
  57. - SHA256 hash: 11f877eb961c5d13c07e9e29614e551f7fcd36cda5458927aa66a9f211d09286
  58. - File size: 4,030,464 bytes
  59. - File location: hxxp://185.225.17[.]53/form.msi
  60. - File description: Netsupport RAT installer
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top