Herbie Zimmerman herbiezimmerman
herbiezimmerman
/ gist:57c50a515c391e8c093d422e2039d241
Last active
October 9, 2017 20:30
Locky URLs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2017-10-06 | |
| ========== | |
| Subject: Invoice INV000(3 random numbers) | |
| ilibarcelos.pt/9hgfdfyr6? | |
| mrscrowe.net/p66/9hgfdfyr6 | |
| conxibit.com/9hgfdfyr6? | |
| georginabringas.com/9hgfdfyr6? | |
| ecofloraholland.nl/9hgfdfyr6? | |
| pnkparamount.com/9hgfdfyr6? | |
| highpressurewelding.co.uk/9hgfdfyr6? |
herbiezimmerman
/ gist:1180f45066dc1d2f82c5cb95a8c67d87
Created
November 15, 2017 17:30
2017-11-15 Dridex Malspam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Snippet from script for the binary: | |
| =============================== | |
| //|:ptth|exe.oRYtXTJY\|elifotevas|ydoBesnopser|etirw|nepo|epyT|PmeT|TeG|ssecorP|llehs.tpircsW|noitacilppA.llehs|Maerts.bdodA|PTTHLMX.tfosorciM | |
| ---- | |
| Microsoft.XMLHTTP|Adodb.streaM|shell.Application|Wscript.shell|Process|GeT|TemP|Type|open|write|responseBody|savetofile|\XdzEBhuN.exe|http:|// | |
| //|:ptth|exe.bYONuOReq\|elifotevas|ydoBesnopser|etirw|nepo|epyT|PmeT|TeG|ssecorP|llehs.tpircsW|noitacilppA.llehs|Maerts.bdodA|PTTHLMX.tfosorciM | |
| ---- | |
| Microsoft.XMLHTTP|Adodb.streaM|shell.Application|Wscript.shell|Process|GeT|TemP|Type|open|write|responseBody|savetofile|\qeROuNOYb.exe|http:|// |
herbiezimmerman
/ gist:a628315d67865ab95b4b52bc36b5798e
Created
December 6, 2017 11:57
Trickbot Malspam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2017-12-06 | |
| ========== | |
| <mcconf> | |
| <ver>1000098</ver> | |
| <gtag>ser0512</gtag> | |
| <servs> | |
| <srv>79.106.41.9:449</srv> | |
| <srv>94.250.252.146:443</srv> | |
| <srv>62.109.18.206:443</srv> | |
| <srv>62.109.26.193:443</srv> |
herbiezimmerman
/ gist:2d2e1b676c95c916bff6ecadbe5510af
Created
June 5, 2018 17:48
2018-06-05 Trickbot Config (ver 1000206 / gtag ser0605)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <mcconf> | |
| <ver>1000206</ver> | |
| <gtag>ser0605</gtag> | |
| <servs> | |
| <srv>93.109.242.134:443</srv> | |
| <srv>46.47.50.44:443</srv> | |
| <srv>190.7.199.42:443</srv> | |
| <srv>158.58.131.54:443</srv> |
herbiezimmerman
/ gist:4f9e402c407c4526ab69559308139061
Created
June 12, 2018 20:09
2018-06-12 Emotet (IRS Theme)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Any.Run: | |
| ======== | |
| https://app.any.run/tasks/e3551e19-4898-4dc7-b646-cf50c50e1fac | |
| https://app.any.run/tasks/cb544ffd-5c07-4470-a618-33117882059f | |
| VT: | |
| === | |
| https://www.virustotal.com/#/file/91d0f65b0e9f62ccb7817030967cde51c8f4806a8acec6deabec39c7d8adb416/community | |
| https://www.virustotal.com/#/file/ece2a89aa4bdb318370bc75458d7d790791d7b46287888d40b555e3b7726b228/community |
herbiezimmerman
/ gist:e7873b265b241459e219f7dc83c2e8d3
Last active
July 4, 2018 03:00
2018-07-03 Hancitor Malspam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MD5 of "invoice_<random number string>.doc: 916F1A229B73D5720AA51E596BE52EE5 | |
| Count of unique URLs in all the sample of emails: | |
| ------------------------------------------------- | |
| 8 dudz.biz | |
| 7 golfdudz.biz | |
| 5 golfdudz.com | |
| 4 johnstontrav.com | |
| 5 kickasstrophe.org | |
| 3 mmmfrecklespbctw.com |
herbiezimmerman
/ gist:41badea3223a9e41b71d5720b0f618b5
Created
July 10, 2018 21:05
2018-07-10 Emotet - Subject: Invoice related
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Valid URLs: | |
| =========== | |
| hxxp://mjcapt[.]com/newsletter/US/ACCOUNT/Please-pull-invoice-44130/ | |
| hxxp://www[.]anadolu-yapi[.]xyz/pdf/US/Order/Order-22324681075/ | |
| hxxp://www[.]friendsengg[.]co[.]in/files/En_us/STATUS/Invoice-07-10-18/ | |
| hxxp://www[.]desabiangkeke[.]com/doc/EN_en/INVOICE-STATUS/Invoice-18660/ | |
| hxxp://www[.]nasa[.]ekpaideusi[.]gr/newsletter/US/DOC/Invoice-3243324682-07-10-2018/ | |
| hxxp://www[.]elizimuhendislik[.]xyz/doc/EN_en/Statement/Invoice-7384991949-07-10-2018/ | |
| hxxp://www[.]docudabra[.]com/newsletter/En/ACCOUNT/Pay-Invoice/ | |
| hxxp://test[.]foskinterior[.]com/Jul2018/En_us/ACCOUNT/Invoice-14693880736-07-09-2018/ |
herbiezimmerman
/ gist:e205b0129c2367ff446ba6b2a6d77a60
Created
August 24, 2018 17:33
2018-08-24: Hawkeye malspam process details
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Strings2 v1.3 | |
| Copyright © 2016, Geoff McDonald | |
| http://www.split-code.com/ | |
| C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | |
| \??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | |
| en-US | |
| M/d/yyyy | |
| MMMM, yyyy |
herbiezimmerman
/ gist:476c6c6ab71f47d65e881c22f1dd62e4
Created
September 21, 2018 14:35
2018-09-21 Emotet Malspam
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Maldocs: | |
| ======== | |
| MD5 (F_P298298.doc) = e298770f693d152d37693eb855dde9e9 | |
| MD5 (F_T4545.doc) = 64e55a68e11af98e1ce319d0dd433de8 | |
| Artifacts: | |
| MD5 (42.exe) = d0474a3558d7be310d72bf3146cb59d5 --> https://www.virustotal.com/#/file/48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662/detection | |
| MD5 (srvloada.exe) = d0474a3558d7be310d72bf3146cb59d5 --> https://www.virustotal.com/#/file/48fedd8eb8fd95b1c3f3a43fe0ed4ff6e769902b1b7db1f07953455b5ff2c662/detection | |
| Malicious macro script: |
herbiezimmerman
/ gist:abe4fc57310117da6703d49123f94757
Created
October 17, 2018 15:10
2018-10-16 Hancitor Word Doc Links
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://lineward.net/?4xkey7=UAQDY1AKYKCVV1QHIANQIGG0CQi | |
| http://runwithhunt.com/?6Fi7=i7(w5t8z.6].42170QIGYQYNCA3LUw | |
| http://safiyaansari.com/?8o=mPUCmPTOCT0QIGYQYNCA3LUw | |
| http://srt4dart.net/?56a8h=mABOJDAGUAQPTU0QIGYQYNCA3LUw | |
| http://runwithhunt.com/?1WYEQ8=HQEGURNXQHIANQIGG0CQi | |
| http://srt4dart.us/?22U=YCYCMDFOiH0QIGYQYNCA3LUw | |
| http://charlesmessa.net/?6I01VO=CRUvFO0QIGYQYNCA3LUw | |
| http://charlesmessa.net/?34S2d=QI/?TmPVV.45104160QIGYQYNCA3LUw | |
| http://torktuned.com/?3AVOaV=QETtUy0DFOQzNYQHIANQIGG0CQi | |
| http://regpharmconsult.com/?3pev13=APYBBOGWIRmAVYQHIANQIGG0CQi |
OlderNewer