Tuesday, November 28, 2017

Anko Ship / export inquiry (Virus)

Dear sir/Madam

Thank you for doing business with us in the past. My name is Tonia and i am representing Anko Ship & Export. Please find attached our updated company profile with required technical details and contract terms for attached inquiry.

Please review the contract and also quote your best quote and payment terms.

Thanks and kind regards.

Mrs Tonia

Anko inquiry 1511855105.jar
ANKO DOC.rar

File analysis (Virus) :

Anko inquiry 1511855105.jar

Baidu : Java.Trojan.Agent.a
Cyren : Java/Agent.BEL
F-Prot : Java/Agent.BEL
Ikarus : Win32.Outbreak

ANKO DOC.rar :

Baidu : Java.Trojan.Agent.a
Cyren : Java/Agent.BEL
F-Prot : Java/Agent.BEL
Ikarus : Win32.Outbreak
Sophos AV : Mal/DrodZp-A

Email analysis :

NOTE : import@bondagency.com
NOTE : User-Agent : Roundcube Webmail/1.2.7
NOTE : Received : from pleskbusinessweb.if1.housing.ehiweb.it
NOTE : (pleskbusinessweb.if2.housing.ehiweb.it [79.98.45.57])

Friday, November 3, 2017

Emailing: MD10 - 01.11.2017 (Virus)

Your message is ready to be sent with the following file or link
attachments:
MD10 - 01.11.2017

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your
e-mail security settings to determine how attachments are handled.

--
Thanks & Regards
Eric Sherwin
Senior Officer
Accounts & Finacne

MD10 - 01.11.2017.doc

Email analysis :

NOTE : Eric_dhiman@dickscheid.net
NOTE : Received : from 84.120.144.159.dyn.user.ono.com
NOTE : (84.120.144.159.dyn.user.ono.com [84.120.144.159])


NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Thunderbird/27.0

File analysis :

- OPEN : MD10 - 01.11.2017.doc
- FILE MD10 - 01.11.2017.doc is a virus

Virus analysis :

{"scans": {"Bkav": {"detected": false, "version": "1.3.0.9367", "result": null, "update": "20171102"}, "TotalDefense": {"detected": false, "version": "37.1.62.1", "result": null, "update": "20171102"}, "MicroWorld-eScan": {"detected": false, "version": "14.0.297.0", "result": null, "update": "20171103"}, "nProtect": {"detected": false, "version": "2017-11-03.01", "result": null, "update": "20171103"}, "CMC": {"detected": false, "version": "1.1.0.977", "result": null, "update": "20171102"}, "CAT-QuickHeal": {"detected": false, "version": "14.00", "result": null, "update": "20171102"}, "McAfee": {"detected": false, "version": "6.0.6.653", "result": null, "update": "20171031"}, "Malwarebytes": {"detected": false, "version": "2.1.1.1115", "result": null, "update": "20171103"}, "VIPRE": {"detected": false, "version": "62170", "result": null, "update": "20171103"}, "SUPERAntiSpyware": {"detected": false, "version": "5.6.0.1032", "result": null, "update": "20171103"}, "TheHacker": {"detected": false, "version": "6.8.0.5.2121", "result": null, "update": "20171102"}, "Alibaba": {"detected": false, "version": "1.0", "result": null, "update": "20170911"}, "K7GW": {"detected": false, "version": "10.29.25124", "result": null, "update": "20171102"}, "K7AntiVirus": {"detected": false, "version": "10.29.25131", "result": null, "update": "20171102"}, "Baidu": {"detected": true, "version": "1.0.0.2", "result": "Win32.Trojan-Downloader.Agent.kn", "update": "20171103"}, "F-Prot": {"detected": true, "version": "4.7.1.166", "result": "LNK/Downldr.gen", "update": "20171103"}, "Symantec": {"detected": true, "version": "1.4.0.0", "result": "Trojan.Mdropper", "update": "20171102"}, "ESET-NOD32": {"detected": true, "version": "16347", "result": "LNK/TrojanDownloader.Agent.HW", "update": "20171103"}, "TrendMicro-HouseCall": {"detected": true, "version": "9.950.0.1006", "result": "TROJ_POWLOAD.AUSJSH", "update": "20171103"}, "Avast": {"detected": true, "version": "17.7.3660.0", "result": "Other:Malware-gen [Trj]", "update": "20171103"}, "ClamAV": {"detected": true, "version": "0.99.2.0", "result": "Img.Dropper.PhishingLure-6362648-0", "update": "20171102"}, "Kaspersky": {"detected": true, "version": "15.0.1.13", "result": "Trojan-Downloader.MSWord.Agent.bqe", "update": "20171102"}, "BitDefender": {"detected": true, "version": "7.2", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "NANO-Antivirus": {"detected": false, "version": "1.0.100.19905", "result": null, "update": "20171103"}, "ViRobot": {"detected": true, "version": "2014.3.20.0", "result": "DOC.Z.Agent.132562", "update": "20171103"}, "Tencent": {"detected": false, "version": "1.0.0.1", "result": null, "update": "20171103"}, "Ad-Aware": {"detected": false, "version": "3.0.3.1010", "result": null, "update": "20171103"}, "Emsisoft": {"detected": true, "version": "4.0.1.883", "result": "Trojan.Agent.CPMC (B)", "update": "20171103"}, "Comodo": {"detected": false, "version": "27990", "result": null, "update": "20171103"}, "F-Secure": {"detected": true, "version": "11.0.19100.45", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "DrWeb": {"detected": true, "version": "7.0.28.2020", "result": "PowerShell.DownLoader.455", "update": "20171103"}, "Zillya": {"detected": false, "version": "2.0.0.3420", "result": null, "update": "20171102"}, "TrendMicro": {"detected": true, "version": "9.862.0.1074", "result": "TROJ_POWLOAD.AUSJSH", "update": "20171103"}, "McAfee-GW-Edition": {"detected": false, "version": "v2015", "result": null, "update": "20171103"}, "Sophos": {"detected": true, "version": "4.98.0", "result": "Mal/DownLnk-D", "update": "20171103"}, "Cyren": {"detected": true, "version": "5.4.30.7", "result": "ZIP/Trojan.VNUH-5", "update": "20171103"}, "Jiangmin": {"detected": false, "version": "16.0.100", "result": null, "update": "20171103"}, "Webroot": {"detected": false, "version": "1.0.0.207", "result": null, "update": "20171103"}, "Avira": {"detected": true, "version": "8.3.3.6", "result": "TR/Agent.cznoe", "update": "20171103"}, "Fortinet": {"detected": true, "version": "5.4.247.0", "result": "LNK/Agent.AG!tr.dldr", "update": "20171103"}, "Antiy-AVL": {"detected": false, "version": "3.0.0.1", "result": null, "update": "20171103"}, "Kingsoft": {"detected": false, "version": "2013.8.14.323", "result": null, "update": "20171103"}, "Arcabit": {"detected": true, "version": "1.0.0.827", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "AegisLab": {"detected": true, "version": "4.2", "result": "Troj.Winlnk.Agent!c", "update": "20171103"}, "ZoneAlarm": {"detected": true, "version": "1.0", "result": "Trojan-Downloader.MSWord.Agent.bqe", "update": "20171103"}, "Avast-Mobile": {"detected": false, "version": "171102-04", "result": null, "update": "20171102"}, "Microsoft": {"detected": true, "version": "1.1.14306.0", "result": "TrojanDownloader:O97M/Donoff!lnk", "update": "20171103"}, "AhnLab-V3": {"detected": true, "version": "3.10.1.19128", "result": "LNK/Autorun.Gen", "update": "20171102"}, "ALYac": {"detected": false, "version": "1.1.1.2", "result": null, "update": "20171103"}, "AVware": {"detected": false, "version": "1.5.0.42", "result": null, "update": "20171102"}, "MAX": {"detected": true, "version": "2017.6.26.1", "result": "malware (ai score=99)", "update": "20171103"}, "VBA32": {"detected": false, "version": "3.12.26.4", "result": null, "update": "20171102"}, "WhiteArmor": {"detected": false, "version": null, "result": null, "update": "20171024"}, "Zoner": {"detected": true, "version": "1.0", "result": "LNKScript", "update": "20171103"}, "Rising": {"detected": true, "version": "25.0.0.1", "result": "Trojan.Downloader!1.A420 (CLASSIC)", "update": "20171103"}, "Yandex": {"detected": false, "version": "5.5.1.3", "result": null, "update": "20171102"}, "Ikarus": {"detected": true, "version": "0.1.5.2", "result": "Trojan-Downloader.PS.Agent", "update": "20171102"}, "GData": {"detected": true, "version": "A:25.14678B:25.10801", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "AVG": {"detected": true, "version": "17.7.3660.0", "result": "Other:Malware-gen [Trj]", "update": "20171103"}, "Panda": {"detected": false, "version": "4.6.4.2", "result": null, "update": "20171102"}, "Qihoo-360": {"detected": false, "version": "1.0.0.1120", "result": null, "update": "20171103"}}, "scan_id": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f-1509678306", "sha1": "c10cb42d1ba7732c73c9928bd16ccfd1a161f6d6", "resource": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f", "response_code": 1, "scan_date": "2017-11-03 03:05:06", "permalink": "https://www.virustotal.com/file/db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f/analysis/1509678306/", "verbose_msg": "Scan finished, information embedded", "total": 61, "positives": 29, "sha256": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f", "md5": "a54eae632f1557f5104f57c2a87fd144"}

Thursday, August 24, 2017

About Payment 23-08-2017

Good day,

We have been instructed by your customer to make this transfer to you. Please we are very sorry for the delay in the payment, it was due to the Holidays. Attached is the Payment remittance copy for your reference.Please confirm for errors and get back to us through email.

Best Regards,
DANIEL MURRAY
Sharaf Exchange LLC.
Address:Sharaf Exchange Shop No. G15,
Union Co-Op Society,
Al Aweer,Near Fruit and Vegetable Market, Ras Al Khor, Dubai - UAE
Phone No:04-3200698
Website: http://www.sharafexchange.com

IMG-051220378052.DOC

Email analysis :

NOTE : danielmurray@mail.ru
NOTE : Received : from [104.243.26.4] (port=51917 helo=User)


NOTE : by shared.buxar-host.in
NOTE : bylinkove-zdravi@seznam.cz

Virus analysis :

Ad-Aware W97m.Downloader.GCK
AhnLab-V3 W97M/Downloader
BitDefender W97m.Downloader.GCK
DrWeb W97M.DownLoader.1802
eScan W97m.Downloader.GCK
F-Secure W97m.Downloader.GCK
GData W97m.Downloader.GCK
Ikarus Trojan-Downloader.VBA.Agent
MAX malware (ai score=81)
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

317061979269082.doc (Virus)

317061979269082.doc

Email analysis :

NOTE : Return-Path: < noreply@xo.net >
NOTE : identity=mailfrom; client-ip=208.36.229.61;
NOTE : helo=xo.net; envelope-from=noreply@xo.net;
NOTE : Received: from xo.net (208.36.229.61.ptr.us.xo.net [208.36.229.61])
NOTE : Content-Type: application/msword; name="317061979269082.doc"
NOTE : From: < noreply@ulegv.com >
NOTE : 208.36.229.61.ptr.us.xo.net)

Virus analysis :

Ad-Aware W97M.Downloader.GDB
AegisLab Troj.Script.Agent!c
AhnLab-V3 W97M/Downloader
ALYac Trojan.Downloader.W97M.Gen
Arcabit HEUR.VBA.Trojan.e
Avast Other:Malware-gen [Trj]
AVG Other:Malware-gen [Trj]
Avira W97M/Dldr.Agent.mgjui
Baidu VBA.Trojan-Downloader.Agent.bup
BitDefender W97M.Downloader.GDB
Comodo UnclassifiedMalware
Cyren PP97M/Downldr
DrWeb W97M.DownLoader.1961
Emsisoft Trojan-Downloader.Agent (A)
eScan W97M.Downloader.GDB
ESET-NOD32 VBA/TrojanDownloader.Agent.DYZ
F-Prot New or modified PP97M/Downldr
F-Secure W97M.Downloader.GDB
Fortinet WM/Agent.Q!tr.dldr
GData W97M.Downloader.GDB
Ikarus Trojan-Downloader.VBA.Agent
Kaspersky HEUR:Trojan.Script.Agent.gen
MAX malware (ai score=99)
McAfee W97M/Downloader.cfm
McAfee-GW-Edition W97M/Downloader.cfm
Microsoft TrojanDownloader:O97M/Donoff
Panda O97M/Downloader
Sophos AV Troj/DocDl-KBA
Symantec W97M.Downloader
Tencent Win32.Trojan-downloader.Agent.Sxyr
TrendMicro W2KM_DLOADR.YYTCY
TrendMicro-HouseCall W2KM_DLOADR.YYTCY
ViRobot W97M.S.Agent.76249
ZoneAlarm HEUR:Trojan.Script.Agent.gen

Saturday, May 13, 2017

Notification de la dette (Phishing Banque de France)

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance,

Sacha Pierre
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : banque@banque-france.fr
NOTE : gvbev@fulda170.server4you.de
NOTE : client-ip=62.75.219.171;


NOTE : LINK : http://ascomnotizie.confcommerciocremona.it/edizioni/2013/Settembre/mp3/config/page5.html
NOTE : Download a virus "facture.zip" then redirect to the Banque de France.
NOTE : https://www.banque-france.fr/

The title of the phishing can also be "L\\\'avis de Banque de France sur facturation" with a different content :

Bonjour!

Vous avez reçu une nouvelle facture
La facture à payer peut être consultée sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Veuillez d\\\'agréer les salutations distinguées,

Patrice Salmon
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : infos@banque-france.fr
NOTE : www-data@vs186078.vserver.de
NOTE : Received : from www-data by vs186078.vserver.de


NOTE : LINK : http://deko-studio.ru/templates/jblank/html/com_contact/categories/content2.html
NOTE : Phishing is unresponsive.

The title of the phishing can also be "Notification du paiement" with a different content :

Cher client!

Nous vous informons sur la dette existante
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Meilleurs vœux,

Aubin Pascal
Spécialiste responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : apache@vps11617909.123-vps.co.uk
NOTE : Received : by vps11617909.123-vps.co.uk


NOTE : LINK : http://rolkatravel.ru/includes/Archive/content2.html
NOTE : Redirect to another phishing then Banque de France

The title of the phishing can also be "Rappel de dette" with a different content :

Vous avez reçu la facture de la société Banque de France
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler

Meilleurs vœux!

Samy Bouchet
Spécialiste principal responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : commercial@banque-france.fr
NOTE : webmaster@missdress.ru
NOTE : Received : from www-data by webs3.ru
NOTE : LINK : http://купить-дом-в-испании.рф/wp-admin/css/colors/blue/content2.html
NOTE : Phishing was removed.


The title of the phishing can also be "Vous avez les dettes" with a different content :

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance!

Salomon Legros
Chef
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : contact@banque-france.fr
NOTE : Received : by vps11617909.123-vps.co.uk


NOTE : LINK : http://smartfitness.com.ua/wp-content/themes/fitnesstheme/fontawesome/css/page6.html
NOTE : Redirect to the Banque de France.

Conclusion

Numerous phishing were removed, but I found one still active and I downloaded a virus called facture.zip

Open facture.zip

AegisLab : Troj.Script.Agent!c
Antiy-AVL : Trojan/Generic.ASVCS3S.3FA
Arcabit : JS:Trojan.Cryxos.725
Avast : Other:Malware-gen [Trj]
AVG : Script/Generic_c.NOE
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : JS:Trojan.Cryxos.725
Comodo : Heur.Dual.Extensions
Cyren : JS/Nemucod.EB1!Eldorado
DrWeb : Trojan.DownLoader24.57175
Emsisoft : JS:Trojan.Cryxos.725 (B)
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CXN
F-Prot : JS/Nemucod.EB1!Eldorado
F-Secure : JS:Trojan.Cryxos.725
Fortinet : JS/Nemucod.CXN!tr
GData : JS:Trojan.Cryxos.725
Ikarus : Trojan-Downloader.JS.Nemucod
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan.Script.Agent.gen
Microsoft : TrojanDownloader:JS/Nemucod
eScan : JS:Trojan.Cryxos.725
Rising : Downloader.Nemucod!8.34 (cloud:EJcAeQsE3jG)
Sophos : Mal/DrodZp-A
Symantec : Trojan.Gen.NPE
Tencent : Js.Trojan-downloader.Nemucod.Gbr
TrendMicro-HouseCall : Suspicious_GEN.F47V0510
ZoneAlarm by Check Point : HEUR:Trojan.Script.Agent.gen

Source code of the virus :

https://pastebin.com/raw/VaBZWADT

Monday, April 24, 2017

Scan Data (VIRUS)

Number of images: 1
Attachment File Type: PDF

Description *

File analysis :

OPEN : Scan_*.pdf
SHA256 : d1efbca78f8847005a369ec24155723ccd257e58cd282429cc04f76f898743b7
RESULT : FILE IS A VIRUS

Virus analysis :

Antiy-AVL : Trojan[Downloader]/MSWord.Agent.bgy
Baidu : Multi.Threats.InArchive
CAT-QuickHeal : O97M.Downloader.AJI
ClamAV : Doc.Dropper.Dridex-6260340-0
Fortinet : WM/TrojanDownloader.7A51!tr
McAfee : W97M/Downloader.brv
McAfee-GW-Edition : BehavesLike.PDF.Trojan.qb
NANO-Antivirus : Trojan.Ole2.Vbs-heuristic.druvzi
Qihoo-360 : virus.office.obfuscated.1
Rising : Heur.Macro.Downloader.d (cloud:UJEmOxwGVqO)
TrendMicro : HEUR_VBA.O2
ZoneAlarm by Check Point : HEUR:Trojan-Downloader.Script.Generic

Email analysis :

NOTE : Received : from static.vnpt.vn (unknown [14.164.139.179])
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1)
NOTE : Gecko/20110929 Thunderbird/7.0.1
NOTE : Received : from gra-PC (unknown [114.31.8.46])


NOTE : Street view of 114.31.8.46


IP :

  • 114.31.8.46
  • 14.164.139.179

Tuesday, January 31, 2017

Our USPS courier can not contact you parcel # 781125158 (Virus)

Hello,

Your parcel was successfully delivered at Fri, 27 Jan 2017 12:42:51 +0300
to USPS Station, but our courier cound not contact you.
You can find more details in this e-mail attachment!

All the best.
Alishia Rawe - USPS Station Manager.

Delivery-Details.zip

Email analysis :

NOTE : afoytaay7@maurerfunerals.com.au
NOTE : Received : from maurerfunerals.com.au
NOTE : (194-28-243-94.pppoe.scatplus.ru [194.28.243.94])


File analysis :

OPEN : Delivery-Details.zip
SHA256 : 0ec1592225d89afbe04e8d15a16dfbd95b45864e31a60b0dea1d0529367acf50
RESULT : FILE IS A VIRUS

Virus analysis :

ALYac : Trojan.JS.Downloader.HMV
Ad-Aware : Trojan.JS.Downloader.HMV
AegisLab : Troj.Downloader.Script!c
AhnLab-V3 : JS/Obfus
Antiy-AVL : Trojan[Downloader]/JS.Nemucod
Arcabit : Trojan.JS.Downloader.HMV
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.JS.Downloader.HMV
CAT-QuickHeal : JS.Nemucod.BQN
Cyren : JS/Agent.WN!Eldorado
DrWeb : JS.DownLoader.3302
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CBS
Emsisoft : Trojan.JS.Downloader.HMV (B)
F-Prot : JS/Agent.WN!Eldorado
F-Secure : Trojan.JS.Downloader.HMV
Fortinet : JS/Nemucod.D27C!tr
GData : Trojan.JS.Downloader.HMV
Ikarus : Trojan-Downloader.JS.Nemucod
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.on
McAfee-GW-Edition : JS/Nemucod.on
eScan : Trojan.JS.Downloader.HMV
Microsoft : TrojanDownloader:JS/Nemucod
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Rising : Downloader.Nemucod!8.34-jtWRudNFo0M (cloud)
Sophos : JS/DwnLdr-RHP
Symantec : Trojan.Gen.7
Tencent : Js.Trojan.Raas.Auto

File analysis :

The file contains 3 elements,

- 1 JS script Delivery-Details.js
- 2 blank filename with hashed content.

To have more information about this virus, contact me contact@scam.cz

Thursday, December 8, 2016

Message notification *@gmail.com (Link to virus)


Google

Nddcole Watddson (Google Support) just sent you a message:

06/12/2016

Undeliverable messages (*@gmail.com).

Get more information

Don't want occasional updates about Gmail activity? Change what email Google Team sends you.

Email analysis :

NOTE : Received : from server.oeirasdigital.pt
NOTE : (server.oeirasdigital.pt. [213.229.111.207])
NOTE : client-ip=213.229.111.207;


NOTE : X-Php-Originating-Script : 10000:bisend.php

Link analysis :

CLICK : Get more information
OPEN : http://projetomac.org/wp/Undeliverable_messages.html
DOWNLOAD A FILE : Undeliverable_messages.zip
INFORMATION : Undeliverable_messages.zip is a virus
SHA256 : be0908fbf059517f8ea204d1636e00a7810146fb9c920fc01bb4315b8e8e0067

Virus analysis :

AegisLab Troj.Downloader.Script!c
Arcabit HEUR.JS.Trojan.ba
Cyren JS/Nemucod.EY!Eldorado
F-Prot JS/Nemucod.EY!Eldorado
Fortinet Malware_Generic.P0
K7AntiVirus Trojan ( 004dfe6d1 )
K7GW Trojan ( 004dfe6d1 ) 20161208
Kaspersky HEUR:Trojan-Downloader.Script.Generic
Sophos Mal/DrodZp-A

Exposing virus :

PASTEBIN : http://pastebin.com/20PLKDCB
RAW : http://pastebin.com/raw/20PLKDCB



Tuesday, November 29, 2016

New incoming Fax from 908.8325722

You Have a new Fax message
From: 908.8145483
Receiving date: November 28, 2016
Pages: 3

You can view your message on our website:
https://service.ringcentral.com/ messages/download.aspx?fax_id=1805802

Thank you for using RingCentral.

Link analysis :

CLICK : https://service.ringcentral.com/ messages/download.aspx?fax_id=1805802
OPEN : http://787.vn/wp-content/themes/tourpackage-v1-02/backup/get.php?id=dGVzdEB0ZXN0LmNvbQ==
DOWNLOAD : fax_test.doc

File analysis :


OPEN : fax_test.doc
SHA256 : c0b3934b594a23dd88a42c0e96ccbbf7f88c633a19d82833d6d9bbf47630a0c1
RESULT : fax_test.doc is a virus

Virus analysis :

Avast : VBA:Downloader-DSL [Trj]
ClamAV : Doc.Dropper.Agent-1847249
Kaspersky : Trojan-Downloader.MSWord.Agent.avj
Qihoo-360 : virus.office.gen.70
Sophos : Troj/DocDl-FTZ
Symantec : W97M.Downloader

Email analysis :

NOTE : ringcentral@faxmessage.com
NOTE : 74.143.65.242 (rrcs-74-143-65-242.central.biz.rr.com)


NOTE : Mime-Version : 1.0

Tuesday, November 22, 2016

Your LogMein.com subscription has expired! (Virus)

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.

You can download the bill directly from the LogMeIn website:
https://accounts.logme.in/billing.aspx?clusterid=0724&view_bill_id=3716 4647&file_type=doc

Please use another credit card or payment method in order to avoid complete service interruption.

Event type: Credit Card Declined
Account email: *.*
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs

Important Security Notice:
LogMeIn will never for your password or other sensitive information by email.

(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc

Virus analysis :

CLICK : https://accounts.logme.in/billing.aspx?clusterid=0724&view_bill_id=3716 4647&file_type=doc
OPEN : https://reg.vn/en/view_bill.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
DOWNLOAD : lgm_bill89831.doc
lgm_bill89831.doc : VIRUS


lgm_bill89831.doc analysis :

SHA256 : fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac
FILE : lgm_bill89831.doc
ALYac : Trojan.Downloader.W97M.Gen
Ad-Aware : W97M.Downloader.ESE
AegisLab : Troj.Downloader.Msword.Agent!c
Arcabit : W97M.Downloader.ESE
BitDefender : W97M.Downloader.ESE
Cyren : W97M/Nastjencro
ESET-NOD32 : VBA/Kryptik.T
Emsisoft : W97M.Downloader.ESE (B)
F-Prot : New or modified W97M/Nastjencro
F-Secure : Trojan:W97M/Nastjencro.A
GData : W97M.Downloader.ESE
Ikarus : Trojan-Downloader.VBA.Agent 20161121
Kaspersky : Trojan-Downloader.MSWord.Agent.auz
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
eScan : W97M.Downloader.ESE
Microsoft : TrojanDownloader:O97M/Donoff!map
Sophos : Troj/DocDl-FQK
Symantec : W97M.Downloader
Tencent : Win32.Trojan.Inject.Auto
TrendMicro : W2KM_HANCITOR.AUSTT
TrendMicro-HouseCall : W2KM_HANCITOR.AUSTT

Email analysis :

NOTE : billing@secure-lgm.com
NOTE : Received : from wsip-70-165-74-172.hr.hr.cox.net
NOTE : (HELO secure-lgm.com) (70.165.74.172)

Friday, November 18, 2016

RE: shipping done

We shipped your crap.
Here s the tracking invoice :
https://www.ups.com/?tracking_invoice=219371293129312& action=download

Let us know when it arrives.
Thanks

Phishing analysis :

CLICK : https://www.ups.com/?tracking_invoice=219371293129312& action=download
OPEN : http://invoice-portal.com/invoices/get.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
RESULT : Download a file called : inv11172016.doc

File analysis :

ESET-NOD32 : VBA/Kryptik.T
F-Secure : Trojan:W97M/Nastjencro.A
Fortinet : WM/Agent.5110!tr
Kaspersky : HEUR:Trojan.Script.Agent.gen
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
NANO-Antivirus : Trojan.Ole2.Vbs-heuristic.druvzi
Panda : O97M/Downloader 20161117
Qihoo-360 : virus.office.gen.75
Symantec : W97M.Downloader
TrendMicro : W2KM_HANCITOR.YYSXC
TrendMicro-HouseCall : W2KM_HANCITOR.YYSXC

inv11172016.doc is a virus.

Email analysis :

NOTE : Return-Path : < rm@restaurantcocotte.com >
NOTE : 162.252.121.130 ()
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : X-Mailer : iPad Mail (11D169)
NOTE : Message-Id : < *@restaurantcocotte.com >
NOTE : Content-Type : text/html; charset="utf-8"
NOTE : Received : from unknown (HELO restaurantcocotte.com) (162.252.121.130)


NOTE : RE: shipping done

Wednesday, November 16, 2016

< no subject >


2016111105002973550858.zip

File analysis :

Download : 2016111105002973550858.zip
Result : 2016111105002973550858.zip is a virus.

Virus analysis :

ALYac Trojan.JS.Downloader.GYQ
AVG JS/Downloader.Agent.62_I
AVware Trojan-Downloader.JS.Nemucod.bbp (v)
Ad-Aware Trojan.JS.Downloader.GYQ
AegisLab Troj.Downloader.Js.Cryptoload!c
AhnLab-V3 JS/Obfus
Antiy-AVL Trojan/Generic.ASVCS3S.3F7
Arcabit Trojan.JS.Downloader.GYQ
Avast JS:Downloader-DSB [Trj]
Avira (no cloud) HEUR/Suspar.Gen
Baidu JS.Trojan-Downloader.Nemucod.od
BitDefender Trojan.JS.Downloader.GYQ
CAT-QuickHeal JS.Locky.JE
Cyren JS/Nemucod.CA2
DrWeb JS.DownLoader.1225
ESET-NOD32 JS/TrojanDownloader.Nemucod.BMK
Emsisoft Trojan.JS.Downloader.GYQ (B)
F-Prot JS/Nemucod.CA2
F-Secure Trojan.JS.Downloader.GYQ
Fortinet JS/Nemucod.BDA!tr
GData Trojan.JS.Downloader.GYQ
Ikarus Trojan-Downloader.JS.Nemucod
K7AntiVirus Trojan ( 004dfe6d1 )
K7GW Trojan ( 004dfe6d1 )
Kaspersky Trojan-Downloader.JS.Agent.nbi
McAfee JS/Nemucod.jg
McAfee-GW-Edition JS/Nemucod.jg
eScan Trojan.JS.Downloader.GYQ
Microsoft TrojanDownloader:JS/Nemucod!rfn
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
Rising Downloader.Cryptoload!8.7DA (topis)
Sophos Mal/DrodZp-A
Symantec Trojan.Gen.NPE
Tencent Js.Trojan.Raas.Auto
TrendMicro JS_NEMUCOD.SMK14
VIPRE Trojan-Downloader.JS.Nemucod.bbp (v)

Final result :

I opened the virus, and the raw version of this virus is here : http://pastebin.com/raw/FVM8wh4v

This virus sounds like a ransomware...

Email analysis :

NOTE : diann.laughton99@winterbrew.com
NOTE : User-Agent : Microsoft-MacOutlook/14.0.0.100825
NOTE : Received : from customer-SLRC-130-213.megared.net.mx
NOTE : (unknown [201.164.130.213])

Thursday, September 22, 2016

documents (Virus)

Ramona huger Office Manager
Box Rentals LLC
Sanibel Executive Suites
Crestwood Apts.
Cleveland Apts.
rayatboxrentals@cableone.net
www.sanibelsuites.com
2230 East 8th St / Office
Joplin, Mo.64801
Cell-417-312-3661
Office-417-624-7900
Fax- 417-624-7971

5496921_55724.zip

Email analysis :

NOTE :

NOTE : Return-Path : < ramona.huger@cableone.net >
NOTE : Mime-Version : 1.0
NOTE : Message-Id : < *.*.*.JavaMail.zimbra@cableone.net >
NOTE : X-Mailer : Zimbra 8.0.7_GA_6021 (ZimbraWebClient - GC46 (Win)/8.0.7_GA_6021)
NOTE : Thread-Topic : documents
NOTE : Received : from PHC-i5-VAIO (unknown [113.186.230.214])


NOTE : [SPAM] documents

File analysis :

Download : 5496921_55724.zip.
Result : 5496921_55724.zip is a virus.

Virus analysis :

SHA256 16bb72cc0a9a02626ef293df46696f489935e5890df483251976d38d1bf613d9
ALYac JS:Trojan.Crypt.PV
AVG JS/Downloader.Agent.54_Q
Ad-Aware JS:Trojan.Crypt.PV
AhnLab-V3 JS/Obfus.S137
Antiy-AVL Trojan/Generic.ASMalwRG.70
Arcabit JS:Trojan.Crypt.PV
Avira (no cloud) HEUR/Suspar.Gen
Baidu JS.Trojan-Downloader.Nemucod.jn
BitDefender JS:Trojan.Crypt.PV
CAT-QuickHeal JS.Locky.FA
Cyren JS/Nemucod.CA1
DrWeb JS.DownLoader.2236
ESET-NOD32 JS/TrojanDownloader.Nemucod.AZC
Emsisoft JS:Trojan.Crypt.PV (B)
F-Prot JS/Nemucod.CA1
F-Secure JS:Trojan.Crypt.PV
Fortinet JS/Nemucod.SMK9!tr
GData JS:Trojan.Crypt.PV
Ikarus Trojan-Ransom.Script.Locky
K7AntiVirus Trojan ( 004f43681 )
K7GW Trojan ( 004f43681 )
Kaspersky Trojan-Downloader.JS.Cryptoload.als
McAfee JS/Nemucod.jg
McAfee-GW-Edition JS/Nemucod.jg
eScan JS:Trojan.Crypt.PV
Microsoft TrojanDownloader:JS/Swabfex.P
Sophos Mal/DrodZp-A
Tencent Js.Trojan.Raas.Auto

Open Virus :

NOTE : CYTUKE64504.wsf
NOTE : Windows Script File (WSF)
NOTE : http://pastebin.com/BqrxRQqW
RAW : http://pastebin.com/raw/BqrxRQqW

Wednesday, August 17, 2016

Infração de Transito 10-08-2016 (Virus)

A partir do dia 10/08/2016, a Via Fácil realmente iniciou a aplicação de multas.

Todo motorista que passar a mais de 40 km/h receberá uma multa por excesso

de velocidade. Segundo a STP (empresa administradora), a multa do Sem Parar

é gerada pela Policia Rodoviária.

você foi multado veja abaixo copia da multa.

Download da multa aqui...

Email analysis :

NOTE : detran@drz.com.br
NOTE : Received : from unknown (HELO pc-PC)
NOTE : (menoli@drz.com.br@200.204.161.106)


NOTE : by beta.sercomtel.com.br

Link analysis :

CLICK : Download da multa aqui...
OPEN : https://tinyurl.com/j3nav3q?=visualizar/multa/10/08/2016
DOWNLOAD FILE FROM : https://dc431.4shared.com
RESULT : File is a virus.

Virus analysis :

FILENAME : Infração-de-transito-15-08-2016.rar
SHA256 : b3baf1dedb71e91ca1006d412b8ee7eb59bf6a0388bb89abd3aefc3ee0c14dd6

Ad-Aware : Gen:Variant.Symmi.60015
Arcabit : Trojan.Symmi.DEA6F
Avast : Win32:Malware-gen
Avira (no cloud) : TR/Downloader.sdtq
BitDefender : Gen:Variant.Symmi.60015
ESET-NOD32 : Win32/TrojanDownloader.Banload.XMW
Emsisoft : Gen:Variant.Symmi.60015 (B)
F-Secure : Gen:Variant.Symmi.60015
GData : Gen:Variant.Symmi.60015
Ikarus : Trojan-Downloader.Win32.Banload
K7GW : Trojan-Downloader ( 004f64451 )
Kaspersky : Trojan-Downloader.Win32.Delf.kkdi
McAfee : Artemis!383F16692822
eScan : Gen:Variant.Symmi.60015
TrendMicro : HEUR_NAMETRICK.A
TrendMicro-HouseCall : TROJ_GE.4D16FF7F

Conclusion :

Virus hosted by 4shared.com
Link to the virus hosted by tinyurl.com

Saturday, July 23, 2016

Your SSL Certificate has expired

Dear customer,

You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.

The new Salesforce digital certificate can be downloaded from:
https://salesforce.dattodrive.com/index.php/s/ZoeW7Vs1kfLcUdF/download

Instruction:
Unzip the downloaded file first. SSL certificate cannot be installed if it is zipped.
Double click the SSL certificate file and click 'OK' to confirm installation.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancellation:
http://www.salesforce.com/company/privacy/security.jsp

Thank you for using Salesforce.com

Email screenshot :


Email analysis :

NOTE : support@salesforce.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/plain; charset=ISO-8859-1; format=flowed
NOTE : paultayoy@alpestour.com
NOTE : Received : from 62.42.178.94.dyn.user.ono.com
NOTE : (62.42.178.94.dyn.user.ono.com [62.42.178.94])
NOTE : Your SSL Certificate has expired

Analysis of the link :

CLICK : https://salesforce.dattodrive.com/index.php/s/ZoeW7Vs1kfLcUdF/download
OPEN : https://salesforce.dattodrive.com/index.php/s/ZoeW7Vs1kfLcUdF/download
SCREENSHOT :

Sunday, July 3, 2016

Tyler Butler sent you "Scanned Documents.zip"

Tyler Butler a file with you on Dropbox

The updated agreement with BDO

Scanned Documents.zip

Download

© 2016 Dropbox

Screenshot of the email :

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : americanexpress@welcome.aexp.com
NOTE : 14.174.35.53


NOTE : Received : from static.vnpt.vn (unknown [14.174.35.53])

File analysis :

CLICK : Download
OPEN :

https://www.cubbyusercontent.com/pl/Scanned+Documents.zip/_08fa4c28262f424b970037c786caf840

DOWNLOAD : Scanned Documents.zip
RESULT : Scanned Documents.zip is a virus.

Virus analysis :

FILENAME : Scanned Documents.zip
SHA256 : 27d79850e1bae0d14a689e1d019ef6217d805189b04e486e3d54ed8a363d3689

====================================
Ad-Aware : Trojan.GenericKD.3363605
AegisLab : Troj.Generickd!c
Arcabit : Trojan.Generic.D335315
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3363605
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AGS
Emsisoft : Trojan.GenericKD.3363605 (B)
F-Secure : Trojan.GenericKD.3363605
Fortinet : JS/Nemucod.1509!tr
GData : Trojan.GenericKD.3363605
Ikarus : Trojan.Script
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.la
McAfee-GW-Edition : JS/Nemucod.la
eScan : Trojan.GenericKD.3363605
Microsoft : TrojanDownloader:JS/Nemucod.EW
Sophos : Troj/JSDldr-PH
====================================

Extraction of the zip : 3 files extracted.
Result : Scan001.js, Scan002.js, Scan003.js

File Scan001.js
File Scan002.js
File Scan003.js

Thursday, June 30, 2016

Iazalde.Ludwig@alpestour.com has sent you a file via WeTransfer

Iazalde.Ludwig@alpestour.com
sent you some files
The updated agreement with RTS Consulting

Download

Files (6.24 MB total)
SageAccts 2016-06-29.zip
Will be deleted on
30 June, 2016

Get more out of WeTransfer, get Plus

About WeTransfer Contact Legal Powered by Amazon Web Services To make sure you can receive our emails, please add noreply@wetransfer.com to your trusted contacts

Link analysis :

CLICK : Download
OPEN : https://www.cubbyusercontent.com/pl/SageAccts+2016-06-29.zip/_24cfcb038b1b4223ae0b4d0cc41ecdbe
DOWNLOAD FILE : SageAccts 2016-06-29.zip

File analysis :

FILE : SageAccts 2016-06-29.zip
SHA256 : b50fe4e0b2bfa1e8157c306e7293fb9d097a91b99bf34621a3246211bb5368e2

FILE IS A TROJAN !!!

Avira (no cloud) : HEUR/Suspar.Gen
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic

Email analysis :

NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Message-Id : < *.*@alpestour.com >
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : 1.161.133.80;


NOTE : Iazalde.Ludwig@alpestour.com has sent you a file via WeTransfer

Sunday, June 12, 2016

Samantha Gann sent you "Scan001.zip"

Samantha Gann a file with you on Dropbox

The updated agreement with AlixPartners

Scan001.zip

Download

© 2016 Dropbox

Email screenshot :


Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : Received : from unknown (HELO NNZCABJO) (1.47.202.181)


NOTE : Samantha Gann sent you "Scan001.zip"

File analysis :

CLICK : DOWNLOAD
OPEN : https://www.cubbyusercontent.com/pl/Scan001.zip/_6ec59f8ef081469e9dba0d304a99cb9d
FILENAME : Scan001.zip
RESULT : File is a virus.

Virus analysis :

SHA256: e68dfb45eb15d675073486679ac94cac1788ea5c54a3e39cb9cddddaf73a179e
FILENAME : Scan001.zip
AVG : Downloader.Generic_c.ALTL
Ad-Aware : Trojan.GenericKD.3298975
AegisLab : Exploit.Script.Generic!c
Arcabit : Trojan.Generic.D32569F
Avast : Other:Malware-gen [Trj]
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3298975
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.ADU
Emsisoft : Trojan.GenericKD.3298975 (B)
F-Secure : Trojan.GenericKD.3298975
Fortinet : JS/Nemucod.ET!tr.dldr
GData : Trojan.GenericKD.3298975
Ikarus : JS.Trojan-Downloader.Rogue
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Exploit.Script.Generic
McAfee : Generic.yd
McAfee-GW-Edition : Generic.yd
eScan : Trojan.GenericKD.3298975
Microsoft : TrojanDownloader:JS/Nemucod.AT
Rising : Exploit.Generic!8.3E1-aXLPd6nZxPO (Cloud)
TrendMicro : JS_NEMUCOD.QDA
TrendMicro-HouseCall : JS_NEMUCOD.QDA

Monday, May 9, 2016

DOCUMENT DE NON CONFORMITE (Virus)

Ci-joint le document de non conformité.

Bien � toi,
--



SCopieur VA9812357665355478.gz

Virus analysis :

SHA256 : 0235a1aded1737d8c89186b29a34610be835ff45f896091d6dcd6eb9a3152061
Filename : SCopieur VA9812357665355478.gz

ALYac : JS:Trojan.JS.Downloader.IQ
AVG : JS/Downloader.Agent
Ad-Aware : JS:Trojan.JS.Downloader.IQ
Arcabit : JS:Trojan.JS.Downloader.IQ
Avast : JS:Downloader-CZW [Trj]
Avira (no cloud) : JS/Dldr.Locky.98765
BitDefender : JS:Trojan.JS.Downloader.IQ
CAT-QuickHeal : JS.Locky.P
Cyren : JS/Locky.AC
DrWeb : JS.DownLoader.1397
ESET-NOD32 : JS/TrojanDownloader.Nemucod.WU
F-Prot : JS/Locky.AC
F-Secure : JS:Trojan.JS.Downloader.IQ
Fortinet : JS/Nemucod.WU!tr.dldr
GData : JS:Trojan.JS.Downloader.IQ
Ikarus : Trojan-Ransom.Script.Locky
Kaspersky : Trojan-Downloader.JS.Agent.kee
McAfee : JS/Nemucod.is
McAfee-GW-Edition : JS/Nemucod.is
eScan : JS:Trojan.JS.Downloader.IQ
Microsoft : TrojanDownloader:JS/Nemucod.EK
Rising : Downloader.Ransomware!8.625A-SOAAbihlG7H (Cloud)
Sophos : JS/Dldr-MD

Email analysis :

NOTE : lg46@valoritech.fr
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
NOTE : Received : from cmodem.201.140.226-163.wirenet.com.ar (unknown [201.140.226.163])

Tuesday, April 26, 2016

invoice confirmation (Virus)

Good day,

Please find attached invoice for the past months. Remit the new payment
by 30/05/2016 as outlines under our payment agreement.

Regards

Sino

FILE : invoice0879657_pdf.ace

invoice0879657_pdf.ace is a virus.
SHA256: fe382fb45d36b6e03728384999eb79b38f198168dc6fcc4ddbdabb69439a205a
DrWeb : Trojan.PWS.Stealer.1932
ESET-NOD32 : a variant of MSIL/Injector.OZV
Sophos : Mal/DrodAce-A

Email analysis :

NOTE : bik@isioco.fr
NOTE : User-Agent : Roundcube Webmail/1.1.4
NOTE : Received : from us32L.aryadns.com (us132.aryadns.com. [64.31.31.132])
NOTE : Received : from webmail.isioco.fr (localhost [IPv6:::1])
NOTE : by us32L.aryadns.com (Postfix)
NOTE : client-ip=64.31.31.132;