2017-08-03 GloabeImposter "IMG_xxxx.BMP"

1. 2017-08-03: #GlobeImposter email phishing campaign "IMG_xxxx.BMP"
2. Samples: 701
3.  
4. Email sample:
5. -----------------------------------------------------------------------------------------------------------------------
6. From: celeste tessequeau <celesteIAJtessequeau@gmail.com>
7. To: [REDACTED]
8. Subject: IMG_0566.BMP
9. Date: Thu, 03 Aug 2017 16:24:25 +0530
10.  
11. Attachment: IMG_0566.zip -> IMG_1478.js
12. -----------------------------------------------------------------------------------------------------------------------
13. - sender is <random>@gmail.com
14. - subject is "IMG_<4 digits>.<BMP|PDF|JPEG|JPG|GIF>
15. - email body is empty
16. - attached file "IMG_<4 digits>.zip" contains file "IMG_<4 digits>.js", a JSsript downloader which will download malware from:
17.  
18. Download sites (URL contains suffix ??<random>=<random> which does not influence download):
19. http://amaiba.com/87wefhi
20. http://attilabalogh.com/87wefhi
21. http://azlinshaharbi.com/87wefhi
22. http://coryrussellcoaching.com/87wefhi
23. http://eco-bricks.com/87wefhi
24. http://flooringforyou.co.uk/87wefhi
25. http://gandeel-trading.com/87wefhi
26. http://henweekendsbirmingham.co.uk/87wefhi
27. http://iida-sevensuns.com/87wefhi
28. http://jaysonmorrison.com/87wefhi
29. http://rollingmeadowsmassage.com/87wefhi
30. http://sstsjv.com/87wefhi
31. http://tasgetiren.com/87wefhi
32. http://vangoframer.com/87wefhi
33. http://wendybull.com.au/87wefhi
34. http://wir.hebammen.at/87wefhi
35. http://wskrescue.com/87wefhi
36. http://xlrqradio.com/87wefhi
37.  
38. Malware:
39. - SHA256 acde107852738491b5b9f4c47b2b7bd7627e4ae71a57a24b5757cec13ada321c, MD5 1a16f375e18a096b34104401ad8fff58
40. - VT: https://www.virustotal.com/en/file/acde107852738491b5b9f4c47b2b7bd7627e4ae71a57a24b5757cec13ada321c/analysis/1501757950/
41. - HA: https://www.reverse.it/sample/acde107852738491b5b9f4c47b2b7bd7627e4ae71a57a24b5757cec13ada321c?environmentId=100