Date/time:
2018-05-29T18:20:11
“sender” from:
“TD Commercial Banking” <office@tdsecuredocuments[.]com>
Sender IP(s):
185.10.58.101
95.211.158.59
109.236.93.190
Shodan.io / Censys.io for lasthop(s):
https://www.shodan.io/185.10.58.101
https://www.censys.io/ipv4/185.10.58.101
https://www.shodan.io/95.211.158.59
https://www.censys.io/ipv4/95.211.158.59
https://www.shodan.io/109.236.93.190
https://www.censys.io/ipv4/109.236.93.190
Headers received:
from tdsecuredocuments[.]com (unknown [95.211.158.59]) by internal (Postfix) with ESMTP id 758FD60AF9 for ; Tue, 29 May 2018 18:37:20 +0000 (UTC)
from tdsecuredocuments[.]com (unknown [185.10.58.101]) by internal (Postfix) with ESMTP id 3D4EA10AF9 for ; Tue, 29 May 2018 18:37:35 +0000 (UTC)
from tdsecuredocuments[.]com (unknown [185.10.58.101]) by internal (Postfix) with ESMTP id 3D3EA50AF1 for ; Tue, 29 May 2018 18:37:35 +0000 (UTC)
from tdsecuredocuments[.]com (unknown [109.236.93.190]) by internal (Postfix) with ESMTP id 3562560AF9 for ; Tue, 29 May 2018 18:59:59 +0000 (UTC)
Helo:
tdsecuredocuments[.]com
Headers x-mailer:
none
Subject line(s):
FW: Important Account Documents
Message Body:
“This email was sent to: redacted@email Account Documents Please find attached your secure documents. Please review, complete and return completed documents via email to TDOffice@tdcommercialbanking[.]com. If you have any queries relating to the above, feel free to contact us at: TDOffice@tdcommercialbanking[.]com . This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely. The sender does not accept liability for any errors or omissions.”
URLS: This URL was included for stats tracking
hxxps://fgjse1n9[.]emltrk[.]com/fgjse1n9?p&d=pmta8
Attachments:
Name: AccountDocuments.doc
MD5: 58f835ab7d724de9cbd051f7660e516c
SHA1: 4ee4b4e56eb72b0372e2b39a9271813387382d07
SHA256: 1a3a4c1e3f700508b7b6ee919de1ceb0d95204ae9202b4a7bd14c08c4c394916
SHA512: 735af6afedf00406fad15a19e699a6f07799534e6d5c7e481a3e2dcb32fdc7759b72ecbd91ec81a56a8607e8c6a5f0436c5c610a414ce555e6fc84af04ab29bf
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: 123, Template: Normal.dotm, Last Saved By: 123, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Tue May 29 17:55:00 2018, Last Saved Time/Date: Tue May 29 18:05:00 2018, Number of Pages: 1, Number of Words: 27, Number of Characters: 158, Security: 0
File size: 69632
– download –
Name: outurg.bin (which is renamed to .exe)
MD5: f0370f160bfa8338f386a0bdf4d1b481
SHA1: 4a3babbe311e7367059e7876704f519609da5c00
SHA256: 7199fb2ed59ddd47792822fc3936224a04ce19ebe1eb79439e062fd22043566d
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size: 287490
Connections:
hxxp://misionpsicologica[.]com/outurg.bin
62.210.84.32
hxxp://galeona[.]com/outurg.bin
212.89.16.142