Email Malware – August 2017

Continuing the series on double archived malicious Javascript attachments delivered in very sloppy malware campaigns, the below have been checked for August.

Sender IP addresses

59.124.187.50
36.239.16.228
223.29.225.63
113.195.163.28
52.54.181.27
5.250.193.0
188.16.126.64

IP addresses contacted by the attachment

78.85.240.218
36.239.16.228
47.89.241.198

URLs

photographyconsult.men/support.php?f=1.dat
videosalt.men
groovetable.trade
http://playvilla.men/admin.php?f=1.dat
hallvilla.win
scenetavern.win
http://soundgoodhj.info/admin.php
http://soundgoodhj.info/admin.php?f=1.dat
http://grooveterrace.win/admin.php?f=3

Attachments SHA256

90572911e7c82d47f3f89929f7d8d37bc6d863efd29d1519f83a1312de6a37b1
83a10e8ad943bd59576e5428d47ff2dc0343e085db773b26921cbf5d350ea2e5
e7e4a9ac749608ea9744f52f100951863c6c1bfc8ee5033b0d76d355a9b7c9aa
d81b5f3955b840769b5e0714e50d50414ddc1788f185a9f263cbb65edfe37e7c
e0a06b18eaae92d00302597a46001851e4904fa08690429cae205244d037b3f9
cef380024666fa131095759fba66e7e66d5bace0fa45d2810a426246d352fc89

Attachments online analysis

https://www.virustotal.com/en/file/90572911e7c82d47f3f89929f7d8d37bc6d863efd29d1519f83a1312de6a37b1/analysis/1503226669/https://www.hybrid-analysis.com/sample/90572911e7c82d47f3f89929f7d8d37bc6d863efd29d1519f83a1312de6a37b1?environmentId=100
https://www.virustotal.com/en/file/83a10e8ad943bd59576e5428d47ff2dc0343e085db773b26921cbf5d350ea2e5/analysis/1503226442/https://www.hybrid-analysis.com/sample/83a10e8ad943bd59576e5428d47ff2dc0343e085db773b26921cbf5d350ea2e5?environmentId=100
https://www.virustotal.com/en/file/e7e4a9ac749608ea9744f52f100951863c6c1bfc8ee5033b0d76d355a9b7c9aa/analysis/1503226296/https://www.hybrid-analysis.com/sample/e7e4a9ac749608ea9744f52f100951863c6c1bfc8ee5033b0d76d355a9b7c9aa?environmentId=100
https://www.hybrid-analysis.com/sample/d81b5f3955b840769b5e0714e50d50414ddc1788f185a9f263cbb65edfe37e7c?environmentId=100
https://www.virustotal.com/en/file/d81b5f3955b840769b5e0714e50d50414ddc1788f185a9f263cbb65edfe37e7c/analysis/1502638323/
https://www.hybrid-analysis.com/sample/e0a06b18eaae92d00302597a46001851e4904fa08690429cae205244d037b3f9?environmentId=100
https://www.virustotal.com/en/file/cef380024666fa131095759fba66e7e66d5bace0fa45d2810a426246d352fc89/analysis/1503225794/https://www.hybrid-analysis.com/sample/cef380024666fa131095759fba66e7e66d5bace0fa45d2810a426246d352fc89?environmentId=100