API tools faq
paste
Racco42

2017-08-01 GlobeImposter "Your order has been despatched"

Racco42
Aug 1st, 2017
2,102
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.75 KB | None | 0 0
raw download clone embed print report
  1. 2017-08-01: #GlobeImposter email phishing camapign "Your order has been despatched"
  2. Samples: 570
  3.  
  4. Email sample:
  5. ---------------------------------------------------------------------------------------------------------
  6. From: [email protected]
  7. To: [REDACTED]
  8. Subject: Your order has been despatched
  9. Date: Tue, 01 Aug 2017 14:37:08 +0530
  10. Dear Customer
  11.  
  12. The attached document* provides details of items that have been packed and are ready for despatch.
  13.  
  14. Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
  15.  
  16. Customer Services (for customers in the UK mainland)
  17. Call: 03332 406406
  18. Email: [email protected]
  19.  
  20. Opening Hours:
  21. Mon - Fri: 8am - 6pm
  22. Saturday: 9am - 5pm
  23.  
  24. Export Sales (for customers outside UK mainland)
  25. Call: +44 1297 33666
  26. Email: [email protected]
  27.  
  28. Opening Hours:
  29. Mon - Fri: 8am - 5.30pm (GMT)
  30.  
  31. Kind regards
  32.  
  33. Axminster Tools & Machinery
  34. Unit 10 Weycroft Avenue, Axminster EX13 5PH
  35. http://www.lux-studio.co.uk
  36.  
  37. * In order to read or print the attached document, you will need to install Adobe Reader. You can download Adobe Reader free of charge by visiting http://www.adobe.com/
  38. products/acrobat/readstep2.html
  39.  
  40. Attachment: LN8199906.zip -> LN1364887.js
  41. ---------------------------------------------------------------------------------------------------------
  42. - sender is customer.service@<domain>
  43. - subject is "Your order has been despatched"
  44. - attached file "LN<7 digits>.zip" contains file "LN<7 digits>.js" a JScritp downloader which downloads from:
  45.  
  46. Download sites (URL contains suffix ??<random>=<random> which does not influence download):
  47. http://aimtravel.pl/94hg4g4g
  48. http://aitree.com/94hg4g4g
  49. http://bccapital.com/94hg4g4g
  50. http://dreamoneday.com/94hg4g4g
  51. http://edutechservices.in/94hg4g4g
  52. http://hanak-nafotil.kvalitne.cz/94hg4g4g
  53. http://inoveinternet.com.br/94hg4g4g
  54. http://kt-mm.com/94hg4g4g
  55. http://labettolasaigon.com/94hg4g4g
  56. http://lifestyleplumbing.com.au/94hg4g4g
  57. http://mybutterhalf.com/94hg4g4g
  58. http://petsplace.ca/94hg4g4g
  59. http://profileto.com/94hg4g4g
  60. http://samogonochka.net/94hg4g4g
  61. http://sethiwriting.com/94hg4g4g
  62. http://slvideo.net/94hg4g4g
  63. http://snehil.com/94hg4g4g
  64. http://stillsmokin.bravepages.com/94hg4g4g
  65. http://tbdexpress.com/94hg4g4g
  66. http://ttcpv.com/94hg4g4g
  67. http://urachart.com/94hg4g4g
  68. http://visitmymedia.com/94hg4g4g
  69. http://zubairfazal.com/94hg4g4g
  70.  
  71. Malware:
  72. - SHA256 64269fdc099cf6d45a29e26fd54ad4f78c1a91b58e4fb77a8247d47086f71572, MD5 ece16814e892478cfb747662a49e6d9e
  73. - VT: https://www.virustotal.com/en/file/64269fdc099cf6d45a29e26fd54ad4f78c1a91b58e4fb77a8247d47086f71572/analysis/
  74. - HA: https://www.reverse.it/sample/64269fdc099cf6d45a29e26fd54ad4f78c1a91b58e4fb77a8247d47086f71572?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!