#VT – First submission with 5/66 detection rate looks to be JS/Redirector.QSU related https://www.virustotal.com/gui/file/7fc51469303642006715af40b5b8b545e249e8a2a7ff1b6604565db27de0ca0d/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
3/3

Attachment details:
Archive unpacked: Ojo de Agua L7e4Q9T8n7H5F02948682763671061.zip (application/zip, 875.00 B)
#MD5: 6631371d736d640a36c6ab4d6c63dea6
#SHA1: 8fd44aa1bff3821d3a433e36749ea72f43a94dd9
#SHA256: 7fc51469303642006715af40b5b8b545e249e8a2a7ff1b6604565db27de0ca0d
#SHA512: e658bd018c278481c1ea5bf32d4dee533bd6448dca8ad7094807fa7c6f569203a5d2c13b2e38a323c72a35fc221139eb7432451d91a924b47973807856ecba37
https://www.filescan.io/uploads/662fd7af75339da04fa6bb92

Expanded to Name: Ojo de Agua L7e4Q9T8n7H5F02948682763671061.html
File Magic: text/#html
SHA-256: 1ea974fab990da9ca61a9c56afdcbecbe8486e0cd2cc5045fea9ab71d8347ee7
https://www.filescan.io/uploads/662fd7af75339da04fa6bb92/reports/cd4142ec-180b-4461-b82a-9c65ac07a4dd/overview looks to be a spoofed #Google page, in German. No detections!

#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
2/3

Today’s #malware sample is in #Spanish, leveraging a #ezmlm mailing list on the back end at facturanuevagenerada [DOT[ com which does not have an associated web site – just a placeholder.

#email #SRC 62.149.155.137 assigned to #aruba.it a hosting provider over in the #EU

Of interest:
#User-Agent: #Roundcube Webmail/1.6.0

#IP is not listed as an #openProxy

#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal
1/3

New sample relating to this activity described - file attachment
Name: Daily Check status order---###Geek Squad###2024APR##.txt
File Magic: text/plain
SHA-256: 330a0f5609c1922888772bc72bc4ececf5e6fca236a68e6783129706af0bdc06

Uploaded to:
https://www.filescan.io/uploads/662c1bcb14ba3ce8289b35fe/reports/3083959a-01fa-4b25-82b0-5de7c9ba2c09/overview
https://www.virustotal.com/gui/file/330a0f5609c1922888772bc72bc4ececf5e6fca236a68e6783129706af0bdc06/

With todays number (833) 944-1376

message source: 209.85.220.41:
Routing details for 209.85.220.41
Cached whois for 209.85.220.41 : network-abuse@google.com

#spammers #scammers #malicious #suspectfiles
#malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR
#spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse #paypal #paypuke #geeksquad #filescan #vt #virustotal

Today’s #malware sample is anther #DHL spoof, in #Spanish and #pretending to be an individual in #Spain
#email #SRC 192.190.220.159 assigned to #liquidweb.com
their abuse address has bounced all #spamcop reports
#IP is listed on dnsbl.sorbs.net as #openProxy
Archive unpacked: DHL_ES567436735845755676678877988975877.7z (#application/x-rar-compressed; version=5, 4.80 kB)
#MD5:  594d7d00d0e80e84754b39b29a5347c8
#SHA1:  f5b4828c76d936a5f53e361086f8c787b1d1f2a4
#SHA256: 99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895
#SHA512: ec1279a7484e0c440823547887dc09807c29ef35501d292463701fca67d4f9965c190070f239fa0ffeb0b14a72d8ad85a6991866bd5fa419106acc081e3e95b5
https://www.filescan.io/uploads/662aad6e54bafb7d21ddc6aa
#VT - 11/62 detection rate as trojan.suspar
https://www.virustotal.com/gui/file/99646928c1a35686a0067fb6c506ec0bb03e4a0ff9cd108158ada19babb90895/
#spammers #scammers #malicious #suspectfiles #malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR #spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse
#filescan #virustotal

Most recent email #SRC:
Tracking message source: 209.85.220.65:
#Routing details for 209.85.220.65
Cached #whois for 209.85.220.65 : #network-#abuse@#google.com

File #attachment:
Name: You can view and pay your invoice online at #### TXN ID - 35BY54NY6U.txt
FileMagicDescription: #ASCII text, with CRLF line terminators
Size: 820.00 B
#MD5: 3623bff3a27884ccad53958452b3b386
#SHA-1: 1d7f7cbea8d82de0ae5beab1272401213e39a8e1
#SHA-256: f5c231e6710d06d91bda4fe4509900b085a4e8d344df609fe63f2d9c440be24a

https://www.filescan.io/uploads/662975773137a4e0f3bf50ad/reports/7c3eb0d0-aef6-497d-8fec-9f0692b66bbc/overview

https://www.virustotal.com/gui/file/f5c231e6710d06d91bda4fe4509900b085a4e8d344df609fe63f2d9c440be24a/detection/f-f5c231e6710d06d91bda4fe4509900b085a4e8d344df609fe63f2d9c440be24a-1713993073

#spammers #scammers #malicious #suspectfiles
#malware #triage #ioc #_ioc #infosec #informationSecurity #IncidentResponce #IR
#spam #infosec #infomantionSecurity #virustotal #ABUSE #emailabuse #paypal #paypuke #geeksquad #filescan #vt #virustotal

2/2