From: Loretta Gilmore
Date: 20 September 2016 at 08:31
Subject: Tracking data
Good afternoon [redacted],
Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.
The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.
The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.
Analysis of the attachments is pending.
Hybrid Analysis of various samples     shows the script downloading from various locations:
All of these are hosted on:
220.127.116.11 (21 Century Telecom Ltd, Russia)
18.104.22.168 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
22.214.171.124/data/info.php (Anton Malyi aka conturov.net, Ukraine)
126.96.36.199/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
188.8.131.52/data/info.php (TCTEL, Russia)
184.108.40.206/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php [220.127.116.11] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57.