API tools faq
paste
malware_traffic

2020-08-18 (Tuesday) - Emotet malspam example

malware_traffic
Aug 18th, 2020 (edited)
9,485
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.66 KB | None | 0 0
raw download clone embed print report
  1. 2020-08-18 (TUESDAY) - EMOTET MALSPAM EXAMPLE
  2.  
  3. NOTES: This was, indeed, sent to a gmail account that I created, but the original name has been edited here, changed to alfonzo.nickelton to hide the identity of this account. Also, felicidad.bateman@outlook.com is another account I control, but the name has been changed to felicidad.bateman to protect the identity of that specific account, too.
  4.  
  5. Delivered-To: alfonzo.nickelton@gmail.com
  6. Received: by 2002:a0c:f98e:0:0:0:0:0 with SMTP id t14csp294251qvn;
  7. Tue, 18 Aug 2020 06:22:28 -0700 (PDT)
  8. X-Google-Smtp-Source: ABdhPJz5zj6xP3vif44hBEhrSs8k4bAgv+walUkYqQzhUsO14Y/Rf2Z808Wg23VrJI3P/FrbSeHA
  9. X-Received: by 2002:aca:1202:: with SMTP id 2mr12148139ois.79.1597756948818;
  10. Tue, 18 Aug 2020 06:22:28 -0700 (PDT)
  11. ARC-Seal: i=1; a=rsa-sha256; t=1597756948; cv=none;
  12. d=google.com; s=arc-20160816;
  13. b=GotMZYZSToo3oCwqRYyRaxQVQJ2sxS5q3YBkymD5kmGrDizwrSuwG2vBFgLHt3a748
  14. mVkO1CWPaELOhIjbfuirA+oCQuKosfUeC9oCcpwrACgZiYwK4TvEzjU+Y97kehZm1tNq
  15. lIIVMaRecFJJ4/6t2hqu9EcDMpUboWezqehjZKQKm/n2Hhup8Y+0od3O//qannlBdy3Y
  16. nha+1zwSIsLeBzFkeqbeTCMjESig+BFR9j4+SUn/8E0kZvcZGk8QelLpGSI+jacFgECu
  17. V5j6Sc1YaPlmibYGpQIx7GOSAHNTe2Hrn7GfNgURCWXgN+/5bXaQL6yJPolteSrJBY69
  18. AZJQ==
  19. ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
  20. h=content-transfer-encoding:mime-version:subject:to:from:date
  21. :dkim-signature:message-id;
  22. bh=iqQr5Z1a3+g6QLrUi/SnUk0+zDvhHIg6nw/oUROsOpc=;
  23. b=FJkLTJM+iUhMtNrXOQpLBHhn5e9MHL12jUj4GiRFEp5uEEmHvaJI55ZbbbpqdGnX8Q
  24. pNpUW/C4+g3r0jVpbu/sLHpZ2GDMc+iHiR9mRLFA7tX+COrPH8t9unOG/4W4yYM2fEkn
  25. RphtUkp8gdddNIZEduC6f7qHge34w15db3+pgm3L3hWEUEBYePbMslH3mBe5ZFTr+Rc6
  26. x7jd5Xufnu671xwkdLZjjmtbowdwsruD3Rvcq1bf/Vzpb33V6sABrJddRXfWQGoSBMWg
  27. gd3qAxPv9HslFYusHbm9/CmMKMe7aXZvVjWc/Of5WGISvMX0lTE0L0Mu0oWrYBAxZuiD
  28. ZTcA==
  29. ARC-Authentication-Results: i=1; mx.google.com;
  30. dkim=pass header.i=@lusaanlogistics.com header.s=default header.b=CFYYVhly;
  31. spf=pass (google.com: domain of karla.saavedra@lusaanlogistics.com designates 185.148.128.148 as permitted sender) smtp.mailfrom=karla.saavedra@lusaanlogistics.com;
  32. dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=lusaanlogistics.com
  33. Return-Path: <karla.saavedra@lusaanlogistics.com>
  34. Received: from server.decidetuweb.com (server.decidetuweb.com. [185.148.128.148])
  35. by mx.google.com with ESMTPS id c23si11709263otk.181.2020.08.18.06.22.27
  36. for <alfonzo.nickelton@gmail.com>
  37. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
  38. Tue, 18 Aug 2020 06:22:27 -0700 (PDT)
  39. Received-SPF: pass (google.com: domain of karla.saavedra@lusaanlogistics.com designates 185.148.128.148 as permitted sender) client-ip=185.148.128.148;
  40. Authentication-Results: mx.google.com;
  41. dkim=pass header.i=@lusaanlogistics.com header.s=default header.b=CFYYVhly;
  42. spf=pass (google.com: domain of karla.saavedra@lusaanlogistics.com designates 185.148.128.148 as permitted sender) smtp.mailfrom=karla.saavedra@lusaanlogistics.com;
  43. dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=lusaanlogistics.com
  44. Message-ID: <5f3bd613.1c69fb81.cf819.cf8dSMTPIN_ADDED_MISSING@mx.google.com>
  45. DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
  46. d=lusaanlogistics.com; s=default; h=Content-Transfer-Encoding:Content-Type:
  47. MIME-Version:Subject:To:From:Date:Sender:Reply-To:Message-ID:Cc:Content-ID:
  48. Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
  49. :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
  50. List-Subscribe:List-Post:List-Owner:List-Archive;
  51. bh=iqQr5Z1a3+g6QLrUi/SnUk0+zDvhHIg6nw/oUROsOpc=; b=CFYYVhlyufTId2ljSZbE5VZ0ej
  52. OeZLXA1vi94g/oInpLh37C/M8iWbO5cffaOMWJIEbazgshgF+97zGtDlX5YGpzRpTpE3PmlGsXGHB
  53. Bj1cATSuCFSYXJ8AhBwrp5mMxbrO2WIn317Uyu7Y1xD7z17iczOrOYf+3aKwzH2sCBE58WChScI3h
  54. Qcr/q8CcPyLoB12i+TKBfBHHiLymMYK1yBm05Oamxb31sppfQgbT/FDH4gFApFPiQsbWLbHL5W+nn
  55. gov2BZIcu8ZH0AMq17LYRHBvAGi6r5NNzputkVtq6zn2oxKPiJ0yVeqWi3KqwerPlYIKMPHU52Qe9
  56. ocPv8ZFg==;
  57. Received: from [189.113.65.98] (port=49646)
  58. by server.decidetuweb.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  59. (Exim 4.93)
  60. (envelope-from <karla.saavedra@lusaanlogistics.com>)
  61. id 1k81ZK-00061a-Dg
  62. for alfonzo.nickelton@gmail.com; Tue, 18 Aug 2020 09:22:26 -0400
  63. Date: Tue, 18 Aug 2020 10:22:26 -0300
  64. From: "Felicidad Bateman" <karla.saavedra@lusaanlogistics.com>
  65. To: <alfonzo.nickelton@gmail.com>
  66. Subject: Attn: Felicidad Bateman - Invoice attached, please read
  67. MIME-Version: 1.0
  68. Content-Type: text/plain; charset=UTF-8
  69. Content-Transfer-Encoding: quoted-printable
  70. X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
  71. X-AntiAbuse: Primary Hostname - server.decidetuweb.com
  72. X-AntiAbuse: Original Domain - gmail.com
  73. X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
  74. X-AntiAbuse: Sender Address Domain - lusaanlogistics.com
  75. X-Get-Message-Sender-Via: server.decidetuweb.com: authenticated_id: karla.saavedra@lusaanlogistics.com
  76. X-Authenticated-Sender: server.decidetuweb.com: karla.saavedra@lusaanlogistics.com
  77. X-Source:
  78. X-Source-Args:
  79. X-Source-Dir:
  80.  
  81. =0DMorning,
  82.  
  83.  
  84. =0DIt=E2=80=99s a subscription to submit you invoices to us through their s=
  85. ystem and at the same time you get our business, =0Dthen again I am just a=
  86. ssuming on how system works.
  87.  
  88. http://abacusnoida.com/js/common_box/corporate_wKF2K_IgF1cAmlWSy/Fxs24mYNy_=
  89. xfrm3N5nx9G81/
  90.  
  91.  
  92. Thanks for using Felicidad Bateman!
  93.  
  94.  
  95.  
  96. Felicidad Bateman=0DMain: 582-505.1890 Fax: 582-505.1544=0DEMAIL:felicida=
  97. d.bateman@outlook.com
  98.  
  99.  
  100.  
  101.  
  102.  
  103.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!