Tuesday, November 28, 2017

*@* - recibo de pago según lo acordado!

Hola.

Como habíamos conversado el día 21/11/2017 Se ha efectuado la transferencia a su cuenta sobre la anulación de la compra, Por favor verifique.

Nota: Usted puede imprimir el recibo Clicando Aquí

B&F - Abogados Asociados - CL

Email analysis :

NOTE : abogados82734.com@live.com
NOTE : root@live.com
NOTE : root@live.com does not designate 173.255.211.90 as permitted sender


Phishing analysis :

CLICK : Clicando Aquí
STUDY LINK : https://bit.do/dUvpv?*@*.com
REMOVE EMAIL : https://bit.do/dUvpv
ADD - : https://bit.do/dUvpv-
SCREENSHOT :


DOWNLOAD : http://inmisrad.org/Comprobante.zip
FILE : VIRUS

Virus :

Cyren : JS/Downldr.ES2!Eldorado
DrWeb : VBS.Psyme.126
ESET-NOD32 : JS/TrojanDownloader.Banload.RM
F-Prot : JS/Downldr.ES2!Eldorado
Ikarus : Win32.Outbreak
Kaspersky : HEUR:Trojan.Script.Agent.gen
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Qihoo-360 : virus.js.qexvmc.1080
Rising : Downloader.Banload!8.15B (TOPIS:acBkcffG9cJ)
Symantec : JS.Downloader!gen40
ZoneAlarm : HEUR:Trojan.Script.Agent.gen

Paste :

PASTE : https://pastebin.com/upZWkBFT

Wednesday, November 16, 2016

< no subject >


2016111105002973550858.zip

File analysis :

Download : 2016111105002973550858.zip
Result : 2016111105002973550858.zip is a virus.

Virus analysis :

ALYac Trojan.JS.Downloader.GYQ
AVG JS/Downloader.Agent.62_I
AVware Trojan-Downloader.JS.Nemucod.bbp (v)
Ad-Aware Trojan.JS.Downloader.GYQ
AegisLab Troj.Downloader.Js.Cryptoload!c
AhnLab-V3 JS/Obfus
Antiy-AVL Trojan/Generic.ASVCS3S.3F7
Arcabit Trojan.JS.Downloader.GYQ
Avast JS:Downloader-DSB [Trj]
Avira (no cloud) HEUR/Suspar.Gen
Baidu JS.Trojan-Downloader.Nemucod.od
BitDefender Trojan.JS.Downloader.GYQ
CAT-QuickHeal JS.Locky.JE
Cyren JS/Nemucod.CA2
DrWeb JS.DownLoader.1225
ESET-NOD32 JS/TrojanDownloader.Nemucod.BMK
Emsisoft Trojan.JS.Downloader.GYQ (B)
F-Prot JS/Nemucod.CA2
F-Secure Trojan.JS.Downloader.GYQ
Fortinet JS/Nemucod.BDA!tr
GData Trojan.JS.Downloader.GYQ
Ikarus Trojan-Downloader.JS.Nemucod
K7AntiVirus Trojan ( 004dfe6d1 )
K7GW Trojan ( 004dfe6d1 )
Kaspersky Trojan-Downloader.JS.Agent.nbi
McAfee JS/Nemucod.jg
McAfee-GW-Edition JS/Nemucod.jg
eScan Trojan.JS.Downloader.GYQ
Microsoft TrojanDownloader:JS/Nemucod!rfn
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
Rising Downloader.Cryptoload!8.7DA (topis)
Sophos Mal/DrodZp-A
Symantec Trojan.Gen.NPE
Tencent Js.Trojan.Raas.Auto
TrendMicro JS_NEMUCOD.SMK14
VIPRE Trojan-Downloader.JS.Nemucod.bbp (v)

Final result :

I opened the virus, and the raw version of this virus is here : http://pastebin.com/raw/FVM8wh4v

This virus sounds like a ransomware...

Email analysis :

NOTE : diann.laughton99@winterbrew.com
NOTE : User-Agent : Microsoft-MacOutlook/14.0.0.100825
NOTE : Received : from customer-SLRC-130-213.megared.net.mx
NOTE : (unknown [201.164.130.213])

Tuesday, September 1, 2015

Payment for driving on toll road, invoice #00000485134 (Virus)

Notice to Appear,

You have not paid for driving on a toll road.
You are kindly asked to service your debt in the shortest time possible.

You can find the invoice is in the attachment.

Yours faithfully,
Warren Mccarthy,
E-ZPass Manager.

E-ZPass_Invoice_00000485134.zip

File analysis :

OPEN : E-ZPass_Invoice_00000485134.zip
RESULT : File is a virus.

Virus analysis :

ALYac : JS:Trojan.Crypt.NO
AVware : Malware.JS.Generic (JS)
Ad-Aware : JS:Trojan.Crypt.NO
Arcabit : JS:Trojan.Crypt.NO
Avira : HTML/ExpKit.Gen2
BitDefender : JS:Trojan.Crypt.NO
Comodo : Heur.Dual.Extensions
Cyren : JS/Nemucod.D.gen
DrWeb : SCRIPT.Virus
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AV
Emsisoft : JS:Trojan.Crypt.NO (B)
F-Prot : JS/Nemucod.D.gen
F-Secure : JS:Trojan.Crypt.NO
Fortinet : JS/Nemucod.AJ!tr.dldr
GData : JS:Trojan.Crypt.NO
McAfee : JS/Nemucod.i
MicroWorld-eScan : JS:Trojan.Crypt.NO
Microsoft : TrojanDownloader:JS/Nemucod.P
NANO-Antivirus Trojan.Script.Agent.dtchtk
Rising : NORMAL:Trojan.DL.Script.JS.Nemucod.b!1616509[F1]
Sophos : Troj/JSDldr-AF
VIPRE : Malware.JS.Generic (JS)
nProtect : JS:Trojan.Crypt.NO

Email analysis :

NOTE : cadaloz@kadir.doyumsuzgeceler.com
NOTE : Mime-Version : 1.0
NOTE : X-Priority : 3
NOTE : X-Php-Script : cadaloz.net/post.php for 94.23.148.159
NOTE : Received : from kadir.doyumsuzgeceler.com
NOTE : (37.58.75.120-static.reverse.softlayer.com. [37.58.75.120])