Thursday, March 31, 2022

*** - Copy (19) - Copy (Email leak)


mowoled@gmail.com ***
***
mowoled@gmail.com ***
*** - Copy (19) - Copy
Open

Email analysis :

NOTE : drive-shares-dm-noreply@google.com
NOTE : mowoled@gmail.com
NOTE : Google Docs
NOTE : Virus

Email leak (397 emails) :

sanshainclan@gmail.com, dannydhillonmsc@gmail.com, jays8723@gmail.com, oscarlafsmith@gmail.com, marekzachary14@gmail.com, mareswayne1956@gmail.com, raysilva432@gmail.com, rayziggiemaddogsgm@gmail.com, razz151@gmail.com, rb290558@gmail.com, dgowens84@gmail.com, dgrizzelle@gmail.com, dhawkins640@gmail.com, dhead1797@gmail.com, dhornbuckle1991@gmail.com, dhudson10291964@gmail.com, diabolicesper64@gmail.com, diegoandresgonzalez012320@gmail.com, machinistdd@gmail.com, williamrazzmund@gmail.com, ptrjoseph1@gmail.com, veigermids@gmail.com, okeysmith60rk@gmail.com, jperry454jp@gmail.com, rbk4797@gmail.com, g0330perez@gmail.com, rblac92@gmail.com, g0409222@gmail.com, rbprivate519@gmail.com, dignitary8892@gmail.com, dilbar.noor@gmail.com, craigroberts911911@gmail.com, meltyboydani@gmail.com, pattyaberdeen18@gmail.com, nolankhan01@gmail.com, nickcarti69@gmail.com, timbell20021963@gmail.com, russellpeterson85@gmail.com, mikera456@gmail.com, indianpartyfood@gmail.com, rbscumaci@gmail.com, rbyrnes1977@gmail.com, rc22sch@gmail.com, rc645920@gmail.com, rcc585@gmail.com, rcgadsonii@gmail.com, rche8181@gmail.com, rubenrrg420@gmail.com, jaymannix94@gmail.com, krancraigslist@gmail.com, sweetbaby1458@gmail.com, reflectivethinkingtealc@gmail.com, dannymcgilv@gmail.com, joshjlerma@gmail.com, mrlaudlkc@gmail.com, alexstraat@gmail.com, ashcatchem094@gmail.com, faizulmdhoque@gmail.com, jackhigh69132@gmail.com, zarsbwtug398725323@gmail.com, margorieschug5324@gmail.com, skyline.mccargar@gmail.com, rculver601@gmail.com, g1300zx@gmail.com, g133sh@gmail.com, efjsjbajsb44@gmail.com, danymayer19@gmail.com, chekamhando@gmail.com, egurrola81@gmail.com, kaheem9@gmail.com, aaravaarav37@gmail.com, christopherw988@gmail.com, dearrell88@gmail.com, hunter6190@gmail.com, carneywmf@gmail.com, cecil42w@gmail.com, cmsmallwood85@gmail.com, howardwellsjr.hw@gmail.com, keithhurst69@gmail.com, ernietopps1974@gmail.com, gerson6940@gmail.com, adammanus0@gmail.com, gabrieldodo2016@gmail.com, jeffdavis4720@gmail.com, broomesreality@gmail.com, hampe8970@gmail.com, garciapatrickn@gmail.com, dreinaldob@gmail.com, ballerbrock24@gmail.com, adamsaj7@gmail.com, anonymouslow4@gmail.com, goku123987@gmail.com, kevww6962@gmail.com, haroondgl@gmail.com, gelarpr@gmail.com, carlosgomesdacunha@gmail.com, cjb41216@gmail.com, grolison525@gmail.com, brideck0078@gmail.com, bay962328@gmail.com, freshfruitisfake@gmail.com, hamms2829@gmail.com, drew.mays2@gmail.com, chaaseface3662@gmail.com, almostnerdy7@gmail.com, kgulyamov92@gmail.com, advertisewithhubbard@gmail.com, blueyedone45@gmail.com, ditaiqbal1@gmail.com, californiasanjose01@gmail.com, charlyredline@gmail.com, jyzzra2021@gmail.com, amirgully@gmail.com, johnculliford@gmail.com, kin1k420@gmail.com, greattdot89@gmail.com, astconner@gmail.com, cheapthrills8386@gmail.com, duane.wagner62@gmail.com, amyjroberts17@gmail.com, jimmyjon7637@gmail.com, charlenemcarnavon@gmail.com, chitownguy258@gmail.com, dc399572@gmail.com, amanda.ovadal@gmail.com, couchkeith91@gmail.com, johnsonrdle@gmail.com, danielguerrero861@gmail.com, catbabecause@gmail.com, keithhollowayjr26@gmail.com, finesselord42@gmail.com, acaasszz@gmail.com, kenpostel@gmail.com, herdianoka@gmail.com, cody.lawson033@gmail.com, garyraucho@gmail.com, brkky21@gmail.com, austinmashburn0@gmail.com, dptenn2903@gmail.com, drakesdasnake@gmail.com, bubs10287@gmail.com, karenzwilliams58@gmail.com, caliber07.im@gmail.com, andrewzest@gmail.com, barezamro@gmail.com, geetha0101@gmail.com, dave.krasnow@gmail.com, abramcsgo123@gmail.com, bhill8501@gmail.com, darrhea@gmail.com, jrrosie94@gmail.com, brown.fredrick@gmail.com, austintravisberry@gmail.com, brockdudley18@gmail.com, cke519@gmail.com, jacob.meyers1976@gmail.com, dhbiscreen@gmail.com, grgirardjr@gmail.com, burak.kapir@gmail.com, click7513@gmail.com, chadabernathey@gmail.com, apl.al425@gmail.com, jadavidm@gmail.com, amyparr654@gmail.com, daaboiii0@gmail.com, jasonhuyghesr@gmail.com, d925or@gmail.com, chrisneegaard3@gmail.com, craigtyson63@gmail.com, cool.bagas21@gmail.com, allbarbersleague@gmail.com, aenny01@gmail.com, gallo2770@gmail.com, finalheaven225@gmail.com, jameshoustion88@gmail.com, brandonfuzz14@gmail.com, jb372230@gmail.com, audriaflemmg962@gmail.com, azmarried13@gmail.com, jen4peace10@gmail.com, bigandblack817@gmail.com, aroberts3469@gmail.com, amegwynn@gmail.com, bgl818028@gmail.com, blakelyward66@gmail.com, darya.puss@gmail.com, bellhunter013@gmail.com, k9athleticclub@gmail.com, cammiladinovic@gmail.com, branleh7@gmail.com, dakotag6766@gmail.com, alfredjustin56@gmail.com, johnthorne6666@gmail.com, aurelio.cruz@gmail.com, denzel.negron12@gmail.com, bigsmoothcrush@gmail.com, brthegr8@gmail.com, bencat1971@gmail.com, georgebroadway494@gmail.com, gianggiangno1@gmail.com, barlowross18@gmail.com, geralddp49@gmail.com, johnford852@gmail.com, allendumelo@gmail.com, allengrooms@gmail.com, betben37@gmail.com, justinestrada67@gmail.com, brentriffraff@gmail.com, jllest.simaeet8963@gmail.com, jredwards1978@gmail.com, jdutch777@gmail.com, jarochito864@gmail.com, crh9595@gmail.com, carissatoni696969@gmail.com, beto67873@gmail.com, dstoen1@gmail.com, edjbraun@gmail.com, abernathyjames663@gmail.com, jontargaryen87@gmail.com, dcted7@gmail.com, crawfman46@gmail.com, ccskjones@gmail.com, jburgysr72@gmail.com, charliebanks92@gmail.com, clannargent@gmail.com, bheimerflhx@gmail.com, bhootmowgli@gmail.com, fluxtheworld92@gmail.com, hoangdevil367@gmail.com, akmalchik5@gmail.com, geraldvermillion8@gmail.com, dhanley2012@gmail.com, aidanclyne2012@gmail.com, callmejackpot54@gmail.com, dandydave3569@gmail.com, jshaw4929@gmail.com, essencerobinson34@gmail.com, davishuang9@gmail.com, blacktxice00@gmail.com, jhjhill01@gmail.com, armandas.samaninas@gmail.com, dungtran1212cf@gmail.com, jhftyertuyyiuyutrydtrsdfxg.vj00@gmail.com, clistads2018@gmail.com, drewbradley1812@gmail.com, cooperfadito@gmail.com, junior12785@gmail.com, contjoe111@gmail.com, cartergustafson07@gmail.com, gboy180@gmail.com, danielforcraiglist@gmail.com, cutlady1111@gmail.com, atxmusicmann@gmail.com, chriscorrales568@gmail.com, esorell1975@gmail.com, gerren.jackson@gmail.com, aakarshanchirag@gmail.com, ahadbeg@gmail.com, kevin.oliver1992@gmail.com, esquisite1980@gmail.com, buggabflowers1981@gmail.com, indyddlover@gmail.com, dcforever87@gmail.com, burnouuut2240@gmail.com, branmuffin2008@gmail.com, eliecassat@gmail.com, angelinbeby667@gmail.com, asheliemknapp910812@gmail.com, jaycruz6789@gmail.com, jrentz2000@gmail.com, dacama@gmail.com, d26ohyeah.tm@gmail.com, bigmoneymike305@gmail.com, aartizada@gmail.com, drwho40000@gmail.com, edward01181@gmail.com, justwannaplay069@gmail.com, jasonparker36@gmail.com, funbikerdude@gmail.com, backdraft480@gmail.com, chrisroa05@gmail.com, jthiede@gmail.com, irith22@gmail.com, jordys710@gmail.com, kevondvs@gmail.com, dlblueb67474@gmail.com, iliashouichiti@gmail.com, el.musthofa@gmail.com, honestbill3447@gmail.com, jerrymm24@gmail.com, kingj606707@gmail.com, cheiftoksalot@gmail.com, bossbrooks1@gmail.com, harrischanning3@gmail.com, killyouseed@gmail.com, elmorejoyce09809@gmail.com, houranimohammad085@gmail.com, dwaynepurvis3@gmail.com, imkickedout@gmail.com, david.sedloev@gmail.com, elwoodknott@gmail.com, anjeltina520@gmail.com, daddie4u80@gmail.com, etaczab@gmail.com, ghassebroek89@gmail.com, celder85@gmail.com, a24213270@gmail.com, blindkitty1562@gmail.com, jonnyringo512@gmail.com, cjfun4u2enjoy@gmail.com, anthonynguyen215@gmail.com, gpowell841@gmail.com, brubble969@gmail.com, cjmcharlie@gmail.com, eaglesgregory3@gmail.com, daddysinneerr1@gmail.com, cesaroro7@gmail.com, bjhemail@gmail.com, bogstoy@gmail.com, jamesckbell@gmail.com, adauto.valentim@gmail.com, det.bunk@gmail.com, darrinjackson56@gmail.com, desean314@gmail.com, joshanderson1935@gmail.com, kingsleyotrbmx321@gmail.com, khard.khard69@gmail.com, hood.international254@gmail.com, hakunaa43@gmail.com, dedegirl1@gmail.com, buffaloguy5555@gmail.com, kclauderdale024@gmail.com, gannonestay117@gmail.com, kirawapol@gmail.com, joshschulz8041@gmail.com, elitemma3233@gmail.com, jeffandwhitley@gmail.com, brown.robert321@gmail.com, blausen@gmail.com, aiesharichardson24@gmail.com, azirielmi@gmail.com, hecticrogue@gmail.com, ihaveit2017@gmail.com, blazintires99@gmail.com, dustin9292@gmail.com, javiergonzales218.jf@gmail.com, akaelgato@gmail.com, grmrpr7686@gmail.com, betes497@gmail.com, hattonalan477@gmail.com, jeremy.delaunay18@gmail.com, kmoinc65@gmail.com, bradleycooper633@gmail.com, jusmonrivers@gmail.com, gomezdanny159@gmail.com, drew.schrantz2008@gmail.com, donniel43@gmail.com, knguyen037@gmail.com, jpgrafferty10@gmail.com, castingcapecod@gmail.com, josephhunter88@gmail.com, edouardlibwa@gmail.com, drncwang@gmail.com, bisok20@gmail.com, barnes11615@gmail.com, dylan.higginbotham1997@gmail.com, frogers987@gmail.com, jay.047022@gmail.com, beastalteese@gmail.com, bthomasmundorf@gmail.com, chris.beck5601@gmail.com, caballerothomas11@gmail.com, jnh1965trusted@gmail.com, gnkusdcg5788@gmail.com, djandarieleacret@gmail.com, dainam829272626@gmail.com, bojanglesboy27@gmail.com, cmdavis0704@gmail.com, clarkb324@gmail.com, creamylollipop29@gmail.com, arcangel197045@gmail.com, jaycayson150@gmail.com, joser.iap@gmail.com, emunozh14@gmail.com, arpiandi36@gmail.com, ericgilmore05@gmail.com, cdubs0897@gmail.com, jetringer12@gmail.com, bay707biggie@gmail.com, igushhard6699@gmail.com, dharreld89@gmail.com, jasonmonillas50@gmail.com, albertocardoza1987@gmail.com, angelrobert0813@gmail.com, joelcallaham1983@gmail.com, geemo1104@gmail.com, fabiana.alair@gmail.com

Sunday, November 18, 2018

Deposit

Good day ,

Please find attach receipt of deposit made for the attach purchase order.
Do advice on date of delivery.

Download to view.

Regards.

Deposit.zip

Email analysis :

NOTE : Bokamoso Peggy
NOTE : peggybokamoso@gmail.com
NOTE : client-ip=209.85.220.65;⁩


File analysis :

NOTE : Open Deposit.zip
NOTE : This file is a virus
NOTE : Bkav : JS.eIframeHlNMe.
NOTE : Cyren : Trojan.DHVJ-8
NOTE : Sophos AV : Troj/Phish-DZN
NOTE : TrendMicro : TROJ_FRS.VSN16J18
NOTE : TrendMicro-HouseCall : TROJ_FRS.VSN16J18
NOTE : Zoner : Probably HTMLUnescape

Tuesday, November 28, 2017

Anko Ship / export inquiry (Virus)

Dear sir/Madam

Thank you for doing business with us in the past. My name is Tonia and i am representing Anko Ship & Export. Please find attached our updated company profile with required technical details and contract terms for attached inquiry.

Please review the contract and also quote your best quote and payment terms.

Thanks and kind regards.

Mrs Tonia

Anko inquiry 1511855105.jar
ANKO DOC.rar

File analysis (Virus) :

Anko inquiry 1511855105.jar

Baidu : Java.Trojan.Agent.a
Cyren : Java/Agent.BEL
F-Prot : Java/Agent.BEL
Ikarus : Win32.Outbreak

ANKO DOC.rar :

Baidu : Java.Trojan.Agent.a
Cyren : Java/Agent.BEL
F-Prot : Java/Agent.BEL
Ikarus : Win32.Outbreak
Sophos AV : Mal/DrodZp-A

Email analysis :

NOTE : import@bondagency.com
NOTE : User-Agent : Roundcube Webmail/1.2.7
NOTE : Received : from pleskbusinessweb.if1.housing.ehiweb.it
NOTE : (pleskbusinessweb.if2.housing.ehiweb.it [79.98.45.57])

*@* - recibo de pago según lo acordado!

Hola.

Como habíamos conversado el día 21/11/2017 Se ha efectuado la transferencia a su cuenta sobre la anulación de la compra, Por favor verifique.

Nota: Usted puede imprimir el recibo Clicando Aquí

B&F - Abogados Asociados - CL

Email analysis :

NOTE : abogados82734.com@live.com
NOTE : root@live.com
NOTE : root@live.com does not designate 173.255.211.90 as permitted sender


Phishing analysis :

CLICK : Clicando Aquí
STUDY LINK : https://bit.do/dUvpv?*@*.com
REMOVE EMAIL : https://bit.do/dUvpv
ADD - : https://bit.do/dUvpv-
SCREENSHOT :


DOWNLOAD : http://inmisrad.org/Comprobante.zip
FILE : VIRUS

Virus :

Cyren : JS/Downldr.ES2!Eldorado
DrWeb : VBS.Psyme.126
ESET-NOD32 : JS/TrojanDownloader.Banload.RM
F-Prot : JS/Downldr.ES2!Eldorado
Ikarus : Win32.Outbreak
Kaspersky : HEUR:Trojan.Script.Agent.gen
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Qihoo-360 : virus.js.qexvmc.1080
Rising : Downloader.Banload!8.15B (TOPIS:acBkcffG9cJ)
Symantec : JS.Downloader!gen40
ZoneAlarm : HEUR:Trojan.Script.Agent.gen

Paste :

PASTE : https://pastebin.com/upZWkBFT

Friday, November 3, 2017

Emailing: MD10 - 01.11.2017 (Virus)

Your message is ready to be sent with the following file or link
attachments:
MD10 - 01.11.2017

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your
e-mail security settings to determine how attachments are handled.

--
Thanks & Regards
Eric Sherwin
Senior Officer
Accounts & Finacne

MD10 - 01.11.2017.doc

Email analysis :

NOTE : Eric_dhiman@dickscheid.net
NOTE : Received : from 84.120.144.159.dyn.user.ono.com
NOTE : (84.120.144.159.dyn.user.ono.com [84.120.144.159])


NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Thunderbird/27.0

File analysis :

- OPEN : MD10 - 01.11.2017.doc
- FILE MD10 - 01.11.2017.doc is a virus

Virus analysis :

{"scans": {"Bkav": {"detected": false, "version": "1.3.0.9367", "result": null, "update": "20171102"}, "TotalDefense": {"detected": false, "version": "37.1.62.1", "result": null, "update": "20171102"}, "MicroWorld-eScan": {"detected": false, "version": "14.0.297.0", "result": null, "update": "20171103"}, "nProtect": {"detected": false, "version": "2017-11-03.01", "result": null, "update": "20171103"}, "CMC": {"detected": false, "version": "1.1.0.977", "result": null, "update": "20171102"}, "CAT-QuickHeal": {"detected": false, "version": "14.00", "result": null, "update": "20171102"}, "McAfee": {"detected": false, "version": "6.0.6.653", "result": null, "update": "20171031"}, "Malwarebytes": {"detected": false, "version": "2.1.1.1115", "result": null, "update": "20171103"}, "VIPRE": {"detected": false, "version": "62170", "result": null, "update": "20171103"}, "SUPERAntiSpyware": {"detected": false, "version": "5.6.0.1032", "result": null, "update": "20171103"}, "TheHacker": {"detected": false, "version": "6.8.0.5.2121", "result": null, "update": "20171102"}, "Alibaba": {"detected": false, "version": "1.0", "result": null, "update": "20170911"}, "K7GW": {"detected": false, "version": "10.29.25124", "result": null, "update": "20171102"}, "K7AntiVirus": {"detected": false, "version": "10.29.25131", "result": null, "update": "20171102"}, "Baidu": {"detected": true, "version": "1.0.0.2", "result": "Win32.Trojan-Downloader.Agent.kn", "update": "20171103"}, "F-Prot": {"detected": true, "version": "4.7.1.166", "result": "LNK/Downldr.gen", "update": "20171103"}, "Symantec": {"detected": true, "version": "1.4.0.0", "result": "Trojan.Mdropper", "update": "20171102"}, "ESET-NOD32": {"detected": true, "version": "16347", "result": "LNK/TrojanDownloader.Agent.HW", "update": "20171103"}, "TrendMicro-HouseCall": {"detected": true, "version": "9.950.0.1006", "result": "TROJ_POWLOAD.AUSJSH", "update": "20171103"}, "Avast": {"detected": true, "version": "17.7.3660.0", "result": "Other:Malware-gen [Trj]", "update": "20171103"}, "ClamAV": {"detected": true, "version": "0.99.2.0", "result": "Img.Dropper.PhishingLure-6362648-0", "update": "20171102"}, "Kaspersky": {"detected": true, "version": "15.0.1.13", "result": "Trojan-Downloader.MSWord.Agent.bqe", "update": "20171102"}, "BitDefender": {"detected": true, "version": "7.2", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "NANO-Antivirus": {"detected": false, "version": "1.0.100.19905", "result": null, "update": "20171103"}, "ViRobot": {"detected": true, "version": "2014.3.20.0", "result": "DOC.Z.Agent.132562", "update": "20171103"}, "Tencent": {"detected": false, "version": "1.0.0.1", "result": null, "update": "20171103"}, "Ad-Aware": {"detected": false, "version": "3.0.3.1010", "result": null, "update": "20171103"}, "Emsisoft": {"detected": true, "version": "4.0.1.883", "result": "Trojan.Agent.CPMC (B)", "update": "20171103"}, "Comodo": {"detected": false, "version": "27990", "result": null, "update": "20171103"}, "F-Secure": {"detected": true, "version": "11.0.19100.45", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "DrWeb": {"detected": true, "version": "7.0.28.2020", "result": "PowerShell.DownLoader.455", "update": "20171103"}, "Zillya": {"detected": false, "version": "2.0.0.3420", "result": null, "update": "20171102"}, "TrendMicro": {"detected": true, "version": "9.862.0.1074", "result": "TROJ_POWLOAD.AUSJSH", "update": "20171103"}, "McAfee-GW-Edition": {"detected": false, "version": "v2015", "result": null, "update": "20171103"}, "Sophos": {"detected": true, "version": "4.98.0", "result": "Mal/DownLnk-D", "update": "20171103"}, "Cyren": {"detected": true, "version": "5.4.30.7", "result": "ZIP/Trojan.VNUH-5", "update": "20171103"}, "Jiangmin": {"detected": false, "version": "16.0.100", "result": null, "update": "20171103"}, "Webroot": {"detected": false, "version": "1.0.0.207", "result": null, "update": "20171103"}, "Avira": {"detected": true, "version": "8.3.3.6", "result": "TR/Agent.cznoe", "update": "20171103"}, "Fortinet": {"detected": true, "version": "5.4.247.0", "result": "LNK/Agent.AG!tr.dldr", "update": "20171103"}, "Antiy-AVL": {"detected": false, "version": "3.0.0.1", "result": null, "update": "20171103"}, "Kingsoft": {"detected": false, "version": "2013.8.14.323", "result": null, "update": "20171103"}, "Arcabit": {"detected": true, "version": "1.0.0.827", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "AegisLab": {"detected": true, "version": "4.2", "result": "Troj.Winlnk.Agent!c", "update": "20171103"}, "ZoneAlarm": {"detected": true, "version": "1.0", "result": "Trojan-Downloader.MSWord.Agent.bqe", "update": "20171103"}, "Avast-Mobile": {"detected": false, "version": "171102-04", "result": null, "update": "20171102"}, "Microsoft": {"detected": true, "version": "1.1.14306.0", "result": "TrojanDownloader:O97M/Donoff!lnk", "update": "20171103"}, "AhnLab-V3": {"detected": true, "version": "3.10.1.19128", "result": "LNK/Autorun.Gen", "update": "20171102"}, "ALYac": {"detected": false, "version": "1.1.1.2", "result": null, "update": "20171103"}, "AVware": {"detected": false, "version": "1.5.0.42", "result": null, "update": "20171102"}, "MAX": {"detected": true, "version": "2017.6.26.1", "result": "malware (ai score=99)", "update": "20171103"}, "VBA32": {"detected": false, "version": "3.12.26.4", "result": null, "update": "20171102"}, "WhiteArmor": {"detected": false, "version": null, "result": null, "update": "20171024"}, "Zoner": {"detected": true, "version": "1.0", "result": "LNKScript", "update": "20171103"}, "Rising": {"detected": true, "version": "25.0.0.1", "result": "Trojan.Downloader!1.A420 (CLASSIC)", "update": "20171103"}, "Yandex": {"detected": false, "version": "5.5.1.3", "result": null, "update": "20171102"}, "Ikarus": {"detected": true, "version": "0.1.5.2", "result": "Trojan-Downloader.PS.Agent", "update": "20171102"}, "GData": {"detected": true, "version": "A:25.14678B:25.10801", "result": "Trojan.Agent.CPMC", "update": "20171103"}, "AVG": {"detected": true, "version": "17.7.3660.0", "result": "Other:Malware-gen [Trj]", "update": "20171103"}, "Panda": {"detected": false, "version": "4.6.4.2", "result": null, "update": "20171102"}, "Qihoo-360": {"detected": false, "version": "1.0.0.1120", "result": null, "update": "20171103"}}, "scan_id": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f-1509678306", "sha1": "c10cb42d1ba7732c73c9928bd16ccfd1a161f6d6", "resource": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f", "response_code": 1, "scan_date": "2017-11-03 03:05:06", "permalink": "https://www.virustotal.com/file/db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f/analysis/1509678306/", "verbose_msg": "Scan finished, information embedded", "total": 61, "positives": 29, "sha256": "db1d501eb2218c68be3b21f047195ac9c4b4420e6e66172d1a03fb99e4235d7f", "md5": "a54eae632f1557f5104f57c2a87fd144"}

Tuesday, September 12, 2017

Please verify your email address *

The Dropbox logo

Hi *,

We just need to verify your email address before your sign up is complete!

Verify your email

Happy Dropboxing!

Email analysis :

NOTE : Received : from customer-PUE-207-103.megared.net.mx (unknown [177.245.207.103])


NOTE : verify@dropbox.com
LINK : http://floraisdobrasil.com.br/dropbox.html

NOTE : Received : from 189.89.7.60.telesa.com.br (unknown [189.89.7.60])


NOTE : verify@dropbox.com
LINK : http://basedow-bilder.de/dropbox.html

Phishing analysis :

CLICK : Verify your email
OPEN : http://floraisdobrasil.com.br/dropbox.html
SCREENSHOT :


CLICK : Verify your email
OPEN : http://basedow-bilder.de/dropbox.html
SCREENSHOT :


REDIRECT : http://wittinhohemmo.net/drop.php

OPEN : http://wittinhohemmo.net/drop.php
DOWNLOAD : Dropbox-MSGCODE-*.js
RESULT : Dropbox-MSGCODE-*.js is a virus

Virus analysis :

Arcabit HEUR.JS.Trojan.ba
Avira HTML/ExpKit.Gen2
Baidu JS.Trojan-Downloader.Nemucod.yo
Cyren JS/Agent.AAO1!Eldorado
F-Prot JS/Agent.AAO1!Eldorado
Qihoo-360 virus.js.qexvmc.1075
Rising Malware.Undefined!8.C (cloud:CVrV9ZfawJI)
Symantec JS.Downloader.D
TrendMicro Possible_Cerber-JS03b1
TrendMicro-HouseCall Possible_Cerber-JS03b1
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

Conclusion :

Virus stored for analysis...

Thursday, August 24, 2017

About Payment 23-08-2017

Good day,

We have been instructed by your customer to make this transfer to you. Please we are very sorry for the delay in the payment, it was due to the Holidays. Attached is the Payment remittance copy for your reference.Please confirm for errors and get back to us through email.

Best Regards,
DANIEL MURRAY
Sharaf Exchange LLC.
Address:Sharaf Exchange Shop No. G15,
Union Co-Op Society,
Al Aweer,Near Fruit and Vegetable Market, Ras Al Khor, Dubai - UAE
Phone No:04-3200698
Website: http://www.sharafexchange.com

IMG-051220378052.DOC

Email analysis :

NOTE : danielmurray@mail.ru
NOTE : Received : from [104.243.26.4] (port=51917 helo=User)


NOTE : by shared.buxar-host.in
NOTE : bylinkove-zdravi@seznam.cz

Virus analysis :

Ad-Aware W97m.Downloader.GCK
AhnLab-V3 W97M/Downloader
BitDefender W97m.Downloader.GCK
DrWeb W97M.DownLoader.1802
eScan W97m.Downloader.GCK
F-Secure W97m.Downloader.GCK
GData W97m.Downloader.GCK
Ikarus Trojan-Downloader.VBA.Agent
MAX malware (ai score=81)
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic

317061979269082.doc (Virus)

317061979269082.doc

Email analysis :

NOTE : Return-Path: < noreply@xo.net >
NOTE : identity=mailfrom; client-ip=208.36.229.61;
NOTE : helo=xo.net; envelope-from=noreply@xo.net;
NOTE : Received: from xo.net (208.36.229.61.ptr.us.xo.net [208.36.229.61])
NOTE : Content-Type: application/msword; name="317061979269082.doc"
NOTE : From: < noreply@ulegv.com >
NOTE : 208.36.229.61.ptr.us.xo.net)

Virus analysis :

Ad-Aware W97M.Downloader.GDB
AegisLab Troj.Script.Agent!c
AhnLab-V3 W97M/Downloader
ALYac Trojan.Downloader.W97M.Gen
Arcabit HEUR.VBA.Trojan.e
Avast Other:Malware-gen [Trj]
AVG Other:Malware-gen [Trj]
Avira W97M/Dldr.Agent.mgjui
Baidu VBA.Trojan-Downloader.Agent.bup
BitDefender W97M.Downloader.GDB
Comodo UnclassifiedMalware
Cyren PP97M/Downldr
DrWeb W97M.DownLoader.1961
Emsisoft Trojan-Downloader.Agent (A)
eScan W97M.Downloader.GDB
ESET-NOD32 VBA/TrojanDownloader.Agent.DYZ
F-Prot New or modified PP97M/Downldr
F-Secure W97M.Downloader.GDB
Fortinet WM/Agent.Q!tr.dldr
GData W97M.Downloader.GDB
Ikarus Trojan-Downloader.VBA.Agent
Kaspersky HEUR:Trojan.Script.Agent.gen
MAX malware (ai score=99)
McAfee W97M/Downloader.cfm
McAfee-GW-Edition W97M/Downloader.cfm
Microsoft TrojanDownloader:O97M/Donoff
Panda O97M/Downloader
Sophos AV Troj/DocDl-KBA
Symantec W97M.Downloader
Tencent Win32.Trojan-downloader.Agent.Sxyr
TrendMicro W2KM_DLOADR.YYTCY
TrendMicro-HouseCall W2KM_DLOADR.YYTCY
ViRobot W97M.S.Agent.76249
ZoneAlarm HEUR:Trojan.Script.Agent.gen

Saturday, May 13, 2017

Notification de la dette (Phishing Banque de France)

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance,

Sacha Pierre
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : banque@banque-france.fr
NOTE : gvbev@fulda170.server4you.de
NOTE : client-ip=62.75.219.171;


NOTE : LINK : http://ascomnotizie.confcommerciocremona.it/edizioni/2013/Settembre/mp3/config/page5.html
NOTE : Download a virus "facture.zip" then redirect to the Banque de France.
NOTE : https://www.banque-france.fr/

The title of the phishing can also be "L\\\'avis de Banque de France sur facturation" with a different content :

Bonjour!

Vous avez reçu une nouvelle facture
La facture à payer peut être consultée sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Veuillez d\\\'agréer les salutations distinguées,

Patrice Salmon
Spécialiste responsable de la clientèle
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : infos@banque-france.fr
NOTE : www-data@vs186078.vserver.de
NOTE : Received : from www-data by vs186078.vserver.de


NOTE : LINK : http://deko-studio.ru/templates/jblank/html/com_contact/categories/content2.html
NOTE : Phishing is unresponsive.

The title of the phishing can also be "Notification du paiement" with a different content :

Cher client!

Nous vous informons sur la dette existante
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler.

Meilleurs vœux,

Aubin Pascal
Spécialiste responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : apache@vps11617909.123-vps.co.uk
NOTE : Received : by vps11617909.123-vps.co.uk


NOTE : LINK : http://rolkatravel.ru/includes/Archive/content2.html
NOTE : Redirect to another phishing then Banque de France

The title of the phishing can also be "Rappel de dette" with a different content :

Vous avez reçu la facture de la société Banque de France
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez nous appeler

Meilleurs vœux!

Samy Bouchet
Spécialiste principal responsable de la clientèle
BANQUE DE FRANCE

Email analysis :

NOTE : commercial@banque-france.fr
NOTE : webmaster@missdress.ru
NOTE : Received : from www-data by webs3.ru
NOTE : LINK : http://купить-дом-в-испании.рф/wp-admin/css/colors/blue/content2.html
NOTE : Phishing was removed.


The title of the phishing can also be "Vous avez les dettes" with a different content :

Vous avez les dettes.
Vous pouvez télécharger plus d'informations sur ce LIEN

Si vous avez des questions vous pouvez appeler les numéros indiqués sur notre site

Merci d'avance!

Salomon Legros
Chef
BANQUE DE FRANCE
Tél.: 0 811 901 801
31 rue Croix des Petits-Champs
75049 PARIS cedex 01

Email analysis :

NOTE : contact@banque-france.fr
NOTE : Received : by vps11617909.123-vps.co.uk


NOTE : LINK : http://smartfitness.com.ua/wp-content/themes/fitnesstheme/fontawesome/css/page6.html
NOTE : Redirect to the Banque de France.

Conclusion

Numerous phishing were removed, but I found one still active and I downloaded a virus called facture.zip

Open facture.zip

AegisLab : Troj.Script.Agent!c
Antiy-AVL : Trojan/Generic.ASVCS3S.3FA
Arcabit : JS:Trojan.Cryxos.725
Avast : Other:Malware-gen [Trj]
AVG : Script/Generic_c.NOE
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : JS:Trojan.Cryxos.725
Comodo : Heur.Dual.Extensions
Cyren : JS/Nemucod.EB1!Eldorado
DrWeb : Trojan.DownLoader24.57175
Emsisoft : JS:Trojan.Cryxos.725 (B)
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CXN
F-Prot : JS/Nemucod.EB1!Eldorado
F-Secure : JS:Trojan.Cryxos.725
Fortinet : JS/Nemucod.CXN!tr
GData : JS:Trojan.Cryxos.725
Ikarus : Trojan-Downloader.JS.Nemucod
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan.Script.Agent.gen
Microsoft : TrojanDownloader:JS/Nemucod
eScan : JS:Trojan.Cryxos.725
Rising : Downloader.Nemucod!8.34 (cloud:EJcAeQsE3jG)
Sophos : Mal/DrodZp-A
Symantec : Trojan.Gen.NPE
Tencent : Js.Trojan-downloader.Nemucod.Gbr
TrendMicro-HouseCall : Suspicious_GEN.F47V0510
ZoneAlarm by Check Point : HEUR:Trojan.Script.Agent.gen

Source code of the virus :

https://pastebin.com/raw/VaBZWADT

Tuesday, January 31, 2017

Our USPS courier can not contact you parcel # 781125158 (Virus)

Hello,

Your parcel was successfully delivered at Fri, 27 Jan 2017 12:42:51 +0300
to USPS Station, but our courier cound not contact you.
You can find more details in this e-mail attachment!

All the best.
Alishia Rawe - USPS Station Manager.

Delivery-Details.zip

Email analysis :

NOTE : afoytaay7@maurerfunerals.com.au
NOTE : Received : from maurerfunerals.com.au
NOTE : (194-28-243-94.pppoe.scatplus.ru [194.28.243.94])


File analysis :

OPEN : Delivery-Details.zip
SHA256 : 0ec1592225d89afbe04e8d15a16dfbd95b45864e31a60b0dea1d0529367acf50
RESULT : FILE IS A VIRUS

Virus analysis :

ALYac : Trojan.JS.Downloader.HMV
Ad-Aware : Trojan.JS.Downloader.HMV
AegisLab : Troj.Downloader.Script!c
AhnLab-V3 : JS/Obfus
Antiy-AVL : Trojan[Downloader]/JS.Nemucod
Arcabit : Trojan.JS.Downloader.HMV
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.JS.Downloader.HMV
CAT-QuickHeal : JS.Nemucod.BQN
Cyren : JS/Agent.WN!Eldorado
DrWeb : JS.DownLoader.3302
ESET-NOD32 : JS/TrojanDownloader.Nemucod.CBS
Emsisoft : Trojan.JS.Downloader.HMV (B)
F-Prot : JS/Agent.WN!Eldorado
F-Secure : Trojan.JS.Downloader.HMV
Fortinet : JS/Nemucod.D27C!tr
GData : Trojan.JS.Downloader.HMV
Ikarus : Trojan-Downloader.JS.Nemucod
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.on
McAfee-GW-Edition : JS/Nemucod.on
eScan : Trojan.JS.Downloader.HMV
Microsoft : TrojanDownloader:JS/Nemucod
NANO-Antivirus : Trojan.Script.Heuristic-js.iacgm
Rising : Downloader.Nemucod!8.34-jtWRudNFo0M (cloud)
Sophos : JS/DwnLdr-RHP
Symantec : Trojan.Gen.7
Tencent : Js.Trojan.Raas.Auto

File analysis :

The file contains 3 elements,

- 1 JS script Delivery-Details.js
- 2 blank filename with hashed content.

To have more information about this virus, contact me contact@scam.cz

Blocked Transaction. Case No 482168537 (Virus)

The Automated Clearing House transaction (ID: 765241823), recently initiated
from your online banking account, was rejected by the other financial
institution.

Canceled ACH transaction
ACH file Case ID 207878605
Transaction Amount 1220.03 USD
Sender e-mail cyogmu18381025@southwoodchurch.org
Reason of Termination See attached statement

Email analysis :

NOTE : cyogmu18381025@southwoodchurch.org
NOTE : client-ip=83.174.220.43;
NOTE : Received : from southwoodchurch.org
NOTE : (h83-174-220-43.static.bashtel.ru [83.174.220.43])


Open file :

OPEN : document_1.zip
EXTRACT : Empty file...
NOTE : Weird...

Tuesday, November 29, 2016

New incoming Fax from 908.8325722

You Have a new Fax message
From: 908.8145483
Receiving date: November 28, 2016
Pages: 3

You can view your message on our website:
https://service.ringcentral.com/ messages/download.aspx?fax_id=1805802

Thank you for using RingCentral.

Link analysis :

CLICK : https://service.ringcentral.com/ messages/download.aspx?fax_id=1805802
OPEN : http://787.vn/wp-content/themes/tourpackage-v1-02/backup/get.php?id=dGVzdEB0ZXN0LmNvbQ==
DOWNLOAD : fax_test.doc

File analysis :


OPEN : fax_test.doc
SHA256 : c0b3934b594a23dd88a42c0e96ccbbf7f88c633a19d82833d6d9bbf47630a0c1
RESULT : fax_test.doc is a virus

Virus analysis :

Avast : VBA:Downloader-DSL [Trj]
ClamAV : Doc.Dropper.Agent-1847249
Kaspersky : Trojan-Downloader.MSWord.Agent.avj
Qihoo-360 : virus.office.gen.70
Sophos : Troj/DocDl-FTZ
Symantec : W97M.Downloader

Email analysis :

NOTE : ringcentral@faxmessage.com
NOTE : 74.143.65.242 (rrcs-74-143-65-242.central.biz.rr.com)


NOTE : Mime-Version : 1.0

Tuesday, November 22, 2016

Maerskline Shipping BL (Phishing + Virus)

FYI

Please see attached shipping documents.

1 attachment(s)
Download | View

Best Regards

MAERSK LINE
One Commercial Place, 20th Floor
Norfolk, VA 23510
Phone: 757-857-4800
Fax: 757-852-3232
© Maersk Group.

Virus :

CLICK : DOWNLOAD
OPEN : http://original-documents.alkhalifa.pw/document/FAX_001.zip
RESULT : UNRESPONSIVE

Phishing analysis :

CLICK : View
OPEN : http://eretailday.org/img/shippingdoc/index.html
SCREENSHOT :


VALIDATE : FORM
REDIRECT : https://my.maerskline.com/?_nfpb=true&_pageLabel=page_tracking3_trackSimple

Email analysis :

NOTE : logistics@maerskline.com
NOTE : Received : from unknown (HELO ?192.168.2.254?)
NOTE : (198.72.31.234)

Your LogMein.com subscription has expired! (Virus)

Dear client,

You are receiving this message because your subscription for LogMeIn Central has expired.
We were not able to charge you with the due amount because your credit card was declined.

You can download the bill directly from the LogMeIn website:
https://accounts.logme.in/billing.aspx?clusterid=0724&view_bill_id=3716 4647&file_type=doc

Please use another credit card or payment method in order to avoid complete service interruption.

Event type: Credit Card Declined
Account email: *.*
At: 21/11/2016

If you need more help, visit LogMeIn Support at:
http://solutions.logmein. com/SalesContactUs

Important Security Notice:
LogMeIn will never for your password or other sensitive information by email.

(Please don't reply to this email, as it's sent from an address that's not monitored.)

© LogMeIn Inc

Virus analysis :

CLICK : https://accounts.logme.in/billing.aspx?clusterid=0724&view_bill_id=3716 4647&file_type=doc
OPEN : https://reg.vn/en/view_bill.php?id=d2VibWFzdGVyQHJiY2FmZS5jb20=
DOWNLOAD : lgm_bill89831.doc
lgm_bill89831.doc : VIRUS


lgm_bill89831.doc analysis :

SHA256 : fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac
FILE : lgm_bill89831.doc
ALYac : Trojan.Downloader.W97M.Gen
Ad-Aware : W97M.Downloader.ESE
AegisLab : Troj.Downloader.Msword.Agent!c
Arcabit : W97M.Downloader.ESE
BitDefender : W97M.Downloader.ESE
Cyren : W97M/Nastjencro
ESET-NOD32 : VBA/Kryptik.T
Emsisoft : W97M.Downloader.ESE (B)
F-Prot : New or modified W97M/Nastjencro
F-Secure : Trojan:W97M/Nastjencro.A
GData : W97M.Downloader.ESE
Ikarus : Trojan-Downloader.VBA.Agent 20161121
Kaspersky : Trojan-Downloader.MSWord.Agent.auz
McAfee : W97M/Dropper.cu
McAfee-GW-Edition : W97M/Dropper.cu
eScan : W97M.Downloader.ESE
Microsoft : TrojanDownloader:O97M/Donoff!map
Sophos : Troj/DocDl-FQK
Symantec : W97M.Downloader
Tencent : Win32.Trojan.Inject.Auto
TrendMicro : W2KM_HANCITOR.AUSTT
TrendMicro-HouseCall : W2KM_HANCITOR.AUSTT

Email analysis :

NOTE : billing@secure-lgm.com
NOTE : Received : from wsip-70-165-74-172.hr.hr.cox.net
NOTE : (HELO secure-lgm.com) (70.165.74.172)

Wednesday, November 16, 2016

< no subject >


2016111105002973550858.zip

File analysis :

Download : 2016111105002973550858.zip
Result : 2016111105002973550858.zip is a virus.

Virus analysis :

ALYac Trojan.JS.Downloader.GYQ
AVG JS/Downloader.Agent.62_I
AVware Trojan-Downloader.JS.Nemucod.bbp (v)
Ad-Aware Trojan.JS.Downloader.GYQ
AegisLab Troj.Downloader.Js.Cryptoload!c
AhnLab-V3 JS/Obfus
Antiy-AVL Trojan/Generic.ASVCS3S.3F7
Arcabit Trojan.JS.Downloader.GYQ
Avast JS:Downloader-DSB [Trj]
Avira (no cloud) HEUR/Suspar.Gen
Baidu JS.Trojan-Downloader.Nemucod.od
BitDefender Trojan.JS.Downloader.GYQ
CAT-QuickHeal JS.Locky.JE
Cyren JS/Nemucod.CA2
DrWeb JS.DownLoader.1225
ESET-NOD32 JS/TrojanDownloader.Nemucod.BMK
Emsisoft Trojan.JS.Downloader.GYQ (B)
F-Prot JS/Nemucod.CA2
F-Secure Trojan.JS.Downloader.GYQ
Fortinet JS/Nemucod.BDA!tr
GData Trojan.JS.Downloader.GYQ
Ikarus Trojan-Downloader.JS.Nemucod
K7AntiVirus Trojan ( 004dfe6d1 )
K7GW Trojan ( 004dfe6d1 )
Kaspersky Trojan-Downloader.JS.Agent.nbi
McAfee JS/Nemucod.jg
McAfee-GW-Edition JS/Nemucod.jg
eScan Trojan.JS.Downloader.GYQ
Microsoft TrojanDownloader:JS/Nemucod!rfn
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
Rising Downloader.Cryptoload!8.7DA (topis)
Sophos Mal/DrodZp-A
Symantec Trojan.Gen.NPE
Tencent Js.Trojan.Raas.Auto
TrendMicro JS_NEMUCOD.SMK14
VIPRE Trojan-Downloader.JS.Nemucod.bbp (v)

Final result :

I opened the virus, and the raw version of this virus is here : http://pastebin.com/raw/FVM8wh4v

This virus sounds like a ransomware...

Email analysis :

NOTE : diann.laughton99@winterbrew.com
NOTE : User-Agent : Microsoft-MacOutlook/14.0.0.100825
NOTE : Received : from customer-SLRC-130-213.megared.net.mx
NOTE : (unknown [201.164.130.213])

Thursday, September 22, 2016

documents (Virus)

Ramona huger Office Manager
Box Rentals LLC
Sanibel Executive Suites
Crestwood Apts.
Cleveland Apts.
rayatboxrentals@cableone.net
www.sanibelsuites.com
2230 East 8th St / Office
Joplin, Mo.64801
Cell-417-312-3661
Office-417-624-7900
Fax- 417-624-7971

5496921_55724.zip

Email analysis :

NOTE :

NOTE : Return-Path : < ramona.huger@cableone.net >
NOTE : Mime-Version : 1.0
NOTE : Message-Id : < *.*.*.JavaMail.zimbra@cableone.net >
NOTE : X-Mailer : Zimbra 8.0.7_GA_6021 (ZimbraWebClient - GC46 (Win)/8.0.7_GA_6021)
NOTE : Thread-Topic : documents
NOTE : Received : from PHC-i5-VAIO (unknown [113.186.230.214])


NOTE : [SPAM] documents

File analysis :

Download : 5496921_55724.zip.
Result : 5496921_55724.zip is a virus.

Virus analysis :

SHA256 16bb72cc0a9a02626ef293df46696f489935e5890df483251976d38d1bf613d9
ALYac JS:Trojan.Crypt.PV
AVG JS/Downloader.Agent.54_Q
Ad-Aware JS:Trojan.Crypt.PV
AhnLab-V3 JS/Obfus.S137
Antiy-AVL Trojan/Generic.ASMalwRG.70
Arcabit JS:Trojan.Crypt.PV
Avira (no cloud) HEUR/Suspar.Gen
Baidu JS.Trojan-Downloader.Nemucod.jn
BitDefender JS:Trojan.Crypt.PV
CAT-QuickHeal JS.Locky.FA
Cyren JS/Nemucod.CA1
DrWeb JS.DownLoader.2236
ESET-NOD32 JS/TrojanDownloader.Nemucod.AZC
Emsisoft JS:Trojan.Crypt.PV (B)
F-Prot JS/Nemucod.CA1
F-Secure JS:Trojan.Crypt.PV
Fortinet JS/Nemucod.SMK9!tr
GData JS:Trojan.Crypt.PV
Ikarus Trojan-Ransom.Script.Locky
K7AntiVirus Trojan ( 004f43681 )
K7GW Trojan ( 004f43681 )
Kaspersky Trojan-Downloader.JS.Cryptoload.als
McAfee JS/Nemucod.jg
McAfee-GW-Edition JS/Nemucod.jg
eScan JS:Trojan.Crypt.PV
Microsoft TrojanDownloader:JS/Swabfex.P
Sophos Mal/DrodZp-A
Tencent Js.Trojan.Raas.Auto

Open Virus :

NOTE : CYTUKE64504.wsf
NOTE : Windows Script File (WSF)
NOTE : http://pastebin.com/BqrxRQqW
RAW : http://pastebin.com/raw/BqrxRQqW

Wednesday, August 17, 2016

Infração de Transito 10-08-2016 (Virus)

A partir do dia 10/08/2016, a Via Fácil realmente iniciou a aplicação de multas.

Todo motorista que passar a mais de 40 km/h receberá uma multa por excesso

de velocidade. Segundo a STP (empresa administradora), a multa do Sem Parar

é gerada pela Policia Rodoviária.

você foi multado veja abaixo copia da multa.

Download da multa aqui...

Email analysis :

NOTE : detran@drz.com.br
NOTE : Received : from unknown (HELO pc-PC)
NOTE : (menoli@drz.com.br@200.204.161.106)


NOTE : by beta.sercomtel.com.br

Link analysis :

CLICK : Download da multa aqui...
OPEN : https://tinyurl.com/j3nav3q?=visualizar/multa/10/08/2016
DOWNLOAD FILE FROM : https://dc431.4shared.com
RESULT : File is a virus.

Virus analysis :

FILENAME : Infração-de-transito-15-08-2016.rar
SHA256 : b3baf1dedb71e91ca1006d412b8ee7eb59bf6a0388bb89abd3aefc3ee0c14dd6

Ad-Aware : Gen:Variant.Symmi.60015
Arcabit : Trojan.Symmi.DEA6F
Avast : Win32:Malware-gen
Avira (no cloud) : TR/Downloader.sdtq
BitDefender : Gen:Variant.Symmi.60015
ESET-NOD32 : Win32/TrojanDownloader.Banload.XMW
Emsisoft : Gen:Variant.Symmi.60015 (B)
F-Secure : Gen:Variant.Symmi.60015
GData : Gen:Variant.Symmi.60015
Ikarus : Trojan-Downloader.Win32.Banload
K7GW : Trojan-Downloader ( 004f64451 )
Kaspersky : Trojan-Downloader.Win32.Delf.kkdi
McAfee : Artemis!383F16692822
eScan : Gen:Variant.Symmi.60015
TrendMicro : HEUR_NAMETRICK.A
TrendMicro-HouseCall : TROJ_GE.4D16FF7F

Conclusion :

Virus hosted by 4shared.com
Link to the virus hosted by tinyurl.com

Saturday, July 23, 2016

Your SSL Certificate has expired

Dear customer,

You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.

The new Salesforce digital certificate can be downloaded from:
https://salesforce.dattodrive.com/index.php/s/ZoeW7Vs1kfLcUdF/download

Instruction:
Unzip the downloaded file first. SSL certificate cannot be installed if it is zipped.
Double click the SSL certificate file and click 'OK' to confirm installation.
According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancellation:
http://www.salesforce.com/company/privacy/security.jsp

Thank you for using Salesforce.com

Email screenshot :


Email analysis :

NOTE : support@salesforce.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/plain; charset=ISO-8859-1; format=flowed
NOTE : paultayoy@alpestour.com
NOTE : Received : from 62.42.178.94.dyn.user.ono.com
NOTE : (62.42.178.94.dyn.user.ono.com [62.42.178.94])
NOTE : Your SSL Certificate has expired

Analysis of the link :

CLICK : https://salesforce.dattodrive.com/index.php/s/ZoeW7Vs1kfLcUdF/download
OPEN : https://salesforce.dattodrive.com/index.php/s/ZoeW7Vs1kfLcUdF/download
SCREENSHOT :

Sunday, July 3, 2016

Tyler Butler sent you "Scanned Documents.zip"

Tyler Butler a file with you on Dropbox

The updated agreement with BDO

Scanned Documents.zip

Download

© 2016 Dropbox

Screenshot of the email :

Email analysis :

NOTE : no-reply@dropbox.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : americanexpress@welcome.aexp.com
NOTE : 14.174.35.53


NOTE : Received : from static.vnpt.vn (unknown [14.174.35.53])

File analysis :

CLICK : Download
OPEN :

https://www.cubbyusercontent.com/pl/Scanned+Documents.zip/_08fa4c28262f424b970037c786caf840

DOWNLOAD : Scanned Documents.zip
RESULT : Scanned Documents.zip is a virus.

Virus analysis :

FILENAME : Scanned Documents.zip
SHA256 : 27d79850e1bae0d14a689e1d019ef6217d805189b04e486e3d54ed8a363d3689

====================================
Ad-Aware : Trojan.GenericKD.3363605
AegisLab : Troj.Generickd!c
Arcabit : Trojan.Generic.D335315
Avira (no cloud) : HEUR/Suspar.Gen
BitDefender : Trojan.GenericKD.3363605
DrWeb : JS.DownLoader.1225
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AGS
Emsisoft : Trojan.GenericKD.3363605 (B)
F-Secure : Trojan.GenericKD.3363605
Fortinet : JS/Nemucod.1509!tr
GData : Trojan.GenericKD.3363605
Ikarus : Trojan.Script
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic
McAfee : JS/Nemucod.la
McAfee-GW-Edition : JS/Nemucod.la
eScan : Trojan.GenericKD.3363605
Microsoft : TrojanDownloader:JS/Nemucod.EW
Sophos : Troj/JSDldr-PH
====================================

Extraction of the zip : 3 files extracted.
Result : Scan001.js, Scan002.js, Scan003.js

File Scan001.js
File Scan002.js
File Scan003.js

Thursday, June 30, 2016

Iazalde.Ludwig@alpestour.com has sent you a file via WeTransfer

Iazalde.Ludwig@alpestour.com
sent you some files
The updated agreement with RTS Consulting

Download

Files (6.24 MB total)
SageAccts 2016-06-29.zip
Will be deleted on
30 June, 2016

Get more out of WeTransfer, get Plus

About WeTransfer Contact Legal Powered by Amazon Web Services To make sure you can receive our emails, please add noreply@wetransfer.com to your trusted contacts

Link analysis :

CLICK : Download
OPEN : https://www.cubbyusercontent.com/pl/SageAccts+2016-06-29.zip/_24cfcb038b1b4223ae0b4d0cc41ecdbe
DOWNLOAD FILE : SageAccts 2016-06-29.zip

File analysis :

FILE : SageAccts 2016-06-29.zip
SHA256 : b50fe4e0b2bfa1e8157c306e7293fb9d097a91b99bf34621a3246211bb5368e2

FILE IS A TROJAN !!!

Avira (no cloud) : HEUR/Suspar.Gen
K7AntiVirus : Trojan ( 004dfe6d1 )
K7GW : Trojan ( 004dfe6d1 )
Kaspersky : HEUR:Trojan-Downloader.Script.Generic

Email analysis :

NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < americanexpress@welcome.aexp.com >
NOTE : Mime-Version : 1.0
NOTE : Message-Id : < *.*@alpestour.com >
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Content-Type : text/html; charset=ISO-8859-1
NOTE : 1.161.133.80;


NOTE : Iazalde.Ludwig@alpestour.com has sent you a file via WeTransfer