Exploit | Label

Sunday, June 12, 2016

Samantha Gann sent you "Scan001.zip"

Samantha Gann a file with you on Dropbox

The updated agreement with AlixPartners

Scan001.zip

Download

© 2016 Dropbox

Email screenshot :

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : Received : from unknown (HELO NNZCABJO) (1.47.202.181)

NOTE : Samantha Gann sent you "Scan001.zip"

File analysis :

CLICK : DOWNLOAD
OPEN : https://www.cubbyusercontent.com/pl/Scan001.zip/_6ec59f8ef081469e9dba0d304a99cb9d
FILENAME : Scan001.zip
RESULT : File is a virus.

Virus analysis :

SHA256: e68dfb45eb15d675073486679ac94cac1788ea5c54a3e39cb9cddddaf73a179e
FILENAME : Scan001.zip
AVG : Downloader.Generic_c.ALTL
Ad-Aware : Trojan.GenericKD.3298975
AegisLab : Exploit.Script.Generic!c
Arcabit : Trojan.Generic.D32569F
Avast : Other:Malware-gen [Trj]
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3298975
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.ADU
Emsisoft : Trojan.GenericKD.3298975 (B)
F-Secure : Trojan.GenericKD.3298975
Fortinet : JS/Nemucod.ET!tr.dldr
GData : Trojan.GenericKD.3298975
Ikarus : JS.Trojan-Downloader.Rogue
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Exploit.Script.Generic
McAfee : Generic.yd
McAfee-GW-Edition : Generic.yd
eScan : Trojan.GenericKD.3298975
Microsoft : TrojanDownloader:JS/Nemucod.AT
Rising : Exploit.Generic!8.3E1-aXLPd6nZxPO (Cloud)
TrendMicro : JS_NEMUCOD.QDA
TrendMicro-HouseCall : JS_NEMUCOD.QDA

Sunday, December 27, 2015

Ahoj, (Scam)

Ahoj, Jak se dnes máš? Jsem Renee Torres, 16 let od Wooster ve státě Ohio Spojených států amerických. Byl jsem vychován na jedinou matkou, která zemřela před několika lety. Než zemřela ona odkázala její vlastnosti oceňují 3,9 milionů dolarů dolarů, aby mě jako její jediná dcera, ale můj nevlastní otec, který má problémy s drogami a alkoholem se zabývá léčbou mě velmi špatné, a hrozí, že mě zabije, jestli se mi nelíbí předání vlastnosti dokumentů k němu , Musím žít tento dům co nejdříve, vše co potřebujete, je strážce, který bude stát, abych se tvrdit, své dědictví, protože nemám jiné přežívající člena rodiny běžet do. Prosím, pomozte mi a já budu navždy zůstane vděčný, budu vysvětlovat dál, když slyším od vás Přiložený je můj obrázek, abyste věděli, jak vypadám Doufám, že slyším od vás brzy Pozdravy, Miss Renee Torres.

Email analysis :

NOTE : reneetow96@gmail.com
NOTE : Received : from tri.tribomidia.com.br
NOTE : (tri.tribomidia.com.br. [192.163.199.37])
NOTE : avn.org.br/wp-includes/css/YellowMailer.php for 105.189.58.137

Tuesday, October 27, 2015

We were unable to process your most recent payment... (Amazon Phishing)

Amazon.com

Today's Deals See All Departments

= = = = = = = = = = = = = = = = = = = =

We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?. To ensure that your service is not interrupted, please update your billing information today.

Confirm your account now

We're available 24 hours a day, 7 days a week. If you have recently updated your billing information, please disregard this message as we are processing the changes you have made. If you need further assistance with your order.

= = = = = = = = = = = = = = = = = = = =

Amazon.com
Connect with us

Phishing analysis :

CLICK : Confirm your account now
OPEN : http://www.intellectualjourneyofenlightenment.org/admin/css/amazon.com-verification/id/
RESULT : This Account Has Been Suspended

intellectualjourneyofenlightenment.org whois :

Registrant ID:DI_41908394
Registrant Name:Atul Kumar Jain
Registrant Organization:intellectualjourneyofenlightenment.org
Registrant Street: 363, sec 15
Registrant City:Panchkula
Registrant State/Province:Haryana
Registrant Postal Code:134114
Registrant Country:IN
Registrant Phone:+91.9888054461
Registrant Email:atul.jain2711@gmail.com
Admin ID:DI_41908394

Email analysis :

NOTE : noreply@amzon.support82.e-i.com
NOTE : 192.163.247.190 (ami.amiableargument.com)
NOTE : X-Source-Args : /usr/bin/php /home/wwwtheiv/public_html/clientscript/ie7/wp-confiiig.php
NOTE : Received : from wwwtheiv by ami.amiableargument.com
NOTE : (envelope-from < wwwtheiv@ami.amiableargument.com >)
NOTE : X-Mailer : theivoryquill.com
NOTE : X-Php-Script : theivoryquill.com/clientscript/ie7/wp-confiiig.php
NOTE : for 185.109.161.21

NOTE : X-Get-Message-Sender-Via : ami.amiableargument.com:
NOTE : authenticated_id: wwwtheiv/only
NOTE : user confirmed/virtual account not confirmed

Payment Swift Copy

sir,

Upon request,Your customer has advised for your payment. Be informed that the following payment is made to your account as per attached HSBC payment swift copy. You are adviced to confirm receipt of payment as detailed.

Yours faithfully,
Global Payments and Cash Management.

HSBC

1 HSBC Payment Swift copy.doc (total 1.3KB)

View slide show (1)Download

Link analysis :

NOTE : http://peridotsgroup.com/colins/HSBC%20Payment%20Swift%20copy.doc
NOTE : BitDefender : Malware site
NOTE : Emsisoft : Malware site

File analysis :

Avira : EXP/CVE-2012-0158
CAT-QuickHeal : Exp.RTF.CVE-2012-0158
DrWeb : Exploit.Rtf.CVE2012-0158
Kaspersky : Exploit.Win32.CVE-2012-0158.j
Qihoo-360 : virus.exp.20120158
Rising : NORMAL:Hack.CVE-2012-0158.a!1614593 [F]
Sophos : Troj/DocDrop-DT
Symantec : Bloodhound.RTF.3
TrendMicro : HEUR_RTFMALFORME

Email analysis :

NOTE : purchasemanager@tescogroup.com
NOTE : Received : by endpoint708401cf.chios.panth.io
NOTE : 162.242.168.6 ()