Just a PHISHING and spam site or part of a campaign?

Viruses and worms
1

Re: https://urlhaus.abuse.ch/url/140545/
Re: https://www.virustotal.com/#/url/5901020a548bb449f1175b94b2e43f7fc6c3e924384da048275b9f83d992abd2/detection
3 to detect: https://www.virustotal.com/#/url/489b6bc27e2bd82c13ad80e10a245b704e693f39f3adc8288be8b56f24be3e45/detection
Redirect: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=a3t5dF1zdXBwbHkufXVgI3tgW11HXVFGUDU4ODE0NzZgI3tgfXteSGA%3D~enc
landing at -https://sd5doozry8.com/ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d
Known PHISHING & spam site: https://www.virustotal.com/en/url/f3713be5cd7156a19083443bf57f1fc2c96a13c50efbaef2ecf6193138443ae1/analysis/1544769021/

polonus

2

Another one resolving to this address: https://urlhaus.abuse.ch/url/141832/
redirecting to https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTM0LjI0OS4xMTYuNzhgW24je3gucGhw~enc
landing at -https://sd5doozry8.com/ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d
3 engines detect: https://www.virustotal.com/#/url/f3713be5cd7156a19083443bf57f1fc2c96a13c50efbaef2ecf6193138443ae1/detection
enom abuse,

polonus

3

A new redirecting web address there, but fitting same campaign: https://urlhaus.abuse.ch/url/145541/
https://www.virustotal.com/en/file/b9a09b30b5cffc997131d4c53e6ccf006625a705fb6f919ea542c1375bf376d1/analysis/1551112990/
Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTM0LjI0OS4xMTYuNzhgW24je3gucGhw~enc
and https://www.virustotal.com/#/url/70c331d0a9de9ac1873efc43d52bbfcfbaa26e51383e224c9a9a27aa35711e46/detection
landing at < meta http-equiv=“refresh” content=“0;URL=hxtps://sd5doozry8.com/ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d” />

polonus

4
A new redirecting web address there, but fitting same campaign: https://urlhaus.abuse.ch/url/145541/
URL is live and downloads a fake.doc that most likely downloads a ransomware if run

Fake.doc
https://www.virustotal.com/#/file/f5c2d630e938e229fba43526648a59a6b11d68543b2a4b50107e9e1bb4eecf33/detection

5

Thanks, Pondus, for clearing that up.
Threatening, as well, but I think it dwells in the realm of heuristical detections for PUP-mode.
Am I right there?

pol

6

I got the fake.doc payload and it seems to download Emotet banking trojan

https://www.virustotal.com/#/file/c170b7cbf4eb90ce1bbadd17d346d9ea994a39ae4ba5421a3a0ce74694662053/detection

https://en.wikipedia.org/wiki/Emotet

https://www.us-cert.gov/ncas/alerts/TA18-201A

7

Hi,
Detection on both files will be released in next stream update + URL block of course.

Thank you guys.
Lukas