From "Phil" [phil@twococksbrewery.com]Attached is a file Customer Statement.doc which is the same payload as used in this attack.
Date Wed, 01 Jul 2015 15:48:24 +0530
Subject Statement JUL-2015
Hi ,
Please find attached a copy of the statement for the month of JUL-2015.
Kind regards,
PHIL
Wednesday, 1 July 2015
Malware spam: "Phil" [phil@twococksbrewery.com] / "Statement JUL-2015"
This fake financial spam does not come from Two Cocks Brewery but is instead a simple forgery with a malicious attachment.
Malware spam: "Document Order 534-550719-84513074/1" / "web-filing@companies-house.gov.uk"
This spam email is not from Companies House but is instead a simple forgery with a malicious attachment.
In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:
http://demaiffe.be/75/85.exe
This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools [1] [2] [3] indicates malicious traffic to:
78.47.139.58 (Hetzner, Germany)
This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.
The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.
MD5s:
7e634a4d8eaad8643d5828b1606c709f
847aa0e22b419316a2e82c813d5ca690
From web-filing@companies-house.gov.uk
Date Wed, 01 Jul 2015 10:49:12 +0300
Subject Document Order 534-550719-84513074/1
Order: 534-550719-84513074 29/06/2015 09:35:46
Companies House WebFiling order 534-550719-84513074/1 is attached.
Thank you for using the Companies House WebFiling service.
--
Email: enquiries@companies-house.gov.uk Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept
incoming email. Please do not reply directly to this message.
In the same I saw, the attachment was named compinfo_534-550719-84513074_1.doc [VT 2/55] which contained this malicious macro [pastebin] which downloads a file from:
http://demaiffe.be/75/85.exe
This is then saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of just 1/55. Automated analysis tools [1] [2] [3] indicates malicious traffic to:
78.47.139.58 (Hetzner, Germany)
This IP has been seen a few time recently. Blocking traffic to it is probably a good idea.
The payload is probably the Dridex banking trojan which usually drops via a DLL, although I have not been able to obtain a sample.
MD5s:
7e634a4d8eaad8643d5828b1606c709f
847aa0e22b419316a2e82c813d5ca690
Tuesday, 30 June 2015
Malware spam: "Donna Vipond" / "donna.vipond@ev-ent.co.uk" / "Payment due - 75805"
This fake invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:
www.medisinskyogaterapi.no/59/56.exe
www.carpstory.de/59/56.exe
This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55. The various analyses including this Malwr report and this Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany).
The payload is probably the Dridex banking trojan.
Recommended blocklist:
78.47.139.58
MD5s:
e704ff948e791ad67d2c46238629335d
b93dfe419fd9c2638fb4afce85efa3f2
25871a5bbeb85b0fbc07531cfc6193ce
From "Donna Vipond" [donna.vipond@ev-ent.co.uk]Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report [1] [2]). The samples I saw downloaded a file from either:
Date Tue, 30 Jun 2015 13:13:28 +0100
Subject Payment due - 75805
Please advise when we can expect to receive payment of the attached
invoice now due? I await to hear from you.
Kind Regards
Donna Vipond
Accounts
Event Furniture Ltd T/A Event Hire
Tel: 01922 628961 x 201
www.medisinskyogaterapi.no/59/56.exe
www.carpstory.de/59/56.exe
This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55. The various analyses including this Malwr report and this Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany).
The payload is probably the Dridex banking trojan.
Recommended blocklist:
78.47.139.58
MD5s:
e704ff948e791ad67d2c46238629335d
b93dfe419fd9c2638fb4afce85efa3f2
25871a5bbeb85b0fbc07531cfc6193ce
Monday, 29 June 2015
Malware spam: "CEF Documents" / "Dawn.Sandel@cef.co.uk" / "Dawn Sandel"
This fake financial spam does not come from City Electrical Factors but is instead a simple forgery with a malicious attachment.
The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:
dev.seasonsbounty.com/543/786.exe
cbebay.com/543/786.exe
This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs:
78.47.139.58 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
91.121.173.193 (OVH, France)
183.81.166.5 (IP ServerOne, Malaysia)
The payload is probably Dridex, but I was not able to get a copy of the DLL.
Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5
MD5s:
65520ecd513c8b8b75f601aa2e69aeef
6bb2b8dc2129ad62ba459797c8544ff3
1396d0cb86bd400f7e364d583958ac33
From: "Dawn.Sandel@cef.co.uk" [Dawn.Sandel@cef.co.uk]
Subject: CEF Documents
Date: Mon, 29 Jun 2015 13:48:27 +0300
Please find attached the following documents issued by City Electrical Factors:
Invoice - BLA/176035 - DUCHMAID
If you have any problems or questions about these documents then please do not hesitate to contact us.
Regards,
Dawn Sandel
Phone: 01282 698 112
Fax: 01282 696 818
Dawn Sandel
Group Office
Nelson & Northwest Region
City Electrical Factors Limited
Tel: 01282 698 112 Fax: 01282 696 818
11 Kenyon Road, Lomeshaye Industrial Estate, Nelson, BB9 5SPv
The attachment is BLA176035.doc which contains a malicious macro. So far I have seen two different versions (Analysed here by Payload Security's Hybrid Analysis [1] [2]) which download a binary from one of the following locations:
dev.seasonsbounty.com/543/786.exe
cbebay.com/543/786.exe
This executable has a detection rate of 11/55. Those analyses show the samples phoning home to the following IPs:
78.47.139.58 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
91.121.173.193 (OVH, France)
183.81.166.5 (IP ServerOne, Malaysia)
The payload is probably Dridex, but I was not able to get a copy of the DLL.
Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5
MD5s:
65520ecd513c8b8b75f601aa2e69aeef
6bb2b8dc2129ad62ba459797c8544ff3
1396d0cb86bd400f7e364d583958ac33
Malware spam: "Payslip for period end date 29/06/2015" / "noreply@fermanagh.gov.uk"
This fake financial spam comes with a malicious payload:
Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:
http://audileon.com.mx/css/proxy_v29.exe
That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:
69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)
I am unable to determine exactly what the payload is on this occassion.
Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242
MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2
From: noreply@fermanagh.gov.uk [noreply@fermanagh.gov.uk]
Date: 29 June 2015 at 11:46
Subject: Payslip for period end date 29/06/2015
Dear [redacted]
Please find attached your payslip for period end 29/06/2015
Payroll Section
Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55. Automated analysis [1] [2] shows a file being downloaded from:
http://audileon.com.mx/css/proxy_v29.exe
That binary has a detection rate of just 2/55 [Malwr analysis] Also, Hybrid Analysis [1] [2] shows the following IPs are contact for what looks to be malicious purposes:
69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)
I am unable to determine exactly what the payload is on this occassion.
Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242
MD5s:
71a42eaac6f432c8dc04465c065e48e1
4009cd042071c81ce9c1aaa13ac046f2
Friday, 26 June 2015
Malware spam: "Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)" / "directdebit@taxdisc.service.gov.uk"
This spam does not come from the UK government , but instead is a simple forgery with a malicious payload:
Attached to the message is a file FG08OEE.doc with a VirusTotal detection rate of 2/55. The macro in it proved resistant to manual analysis, but the Hybrid Analysis does the job easily enough, spotting a download from:
werktuigmachines.be/708/346.exe
This file was also being used in another spam run earlier today.
cccccccccccccccccc
From: directdebit@taxdisc.service.gov.uk
Date: Fri, 26 Jun 2015 15:58:38 +0700
Subject: Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)
Important: Confirmation of your successful
Direct Debit instructionDear customerVehicle registration number: FG08OEEThank you for arranging to pay the vehicle tax by Direct Debit.Please can you check that the details attached below, and your payment schedule are correct.If any of the above financial details are incorrect please contact your bank as soon as possible.However, if your details are correct you don’t need to do anything and your Direct Debit will be processed as normal. You have the right to cancel your Direct Debit at any time. A copy of the Direct Debit Guarantee is included with this letter.For your information, the collection will be made using this reference, and this is how your payment will be detailed on your bank statements:
- DVLA Identifier: 295402
- Reference: FG08OEE
Your vehicle tax will automatically renew unless you notify us of any changes. We will send a new payment schedule at the time of renewal.Yours sincerelyRohan GyeVehicles Service Manager
www.gov.uk/browse/driving
Attached to the message is a file FG08OEE.doc with a VirusTotal detection rate of 2/55. The macro in it proved resistant to manual analysis, but the Hybrid Analysis does the job easily enough, spotting a download from:
werktuigmachines.be/708/346.exe
This file was also being used in another spam run earlier today.
cccccccccccccccccc
Malware spam: "Order Confirmation RET-385236 250615" / "donotreply@royal-canin.fr"
This fake financial spam comes with a malicious payload:
In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:
http://colchester-institute.com/708/346.exe
Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.
According to various automated analysis tools, the sample doesn't seem to run properly [1] [2] [3] [4] but it looks like it tries to send traffic to the following IPs:
68.169.49.213 (Strategic Systems Consulting, US)
87.236.215.151 (OneGbits, Lithuania)
2.185.181.155 (ASDL Subscriber, Iran)
Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155
From: [1NAV PROD RCS] [mailto:donotreply@royal-canin.fr]
Subject: Order Confirmation RET-385236 250615
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
In the sample I have seen, the attachment is called Order Confirmation RET-385236 250615.doc which contains this malicious macro [pastebin] which downloads a component from the following location:
http://colchester-institute.com/708/346.exe
Usually there are several different version of the macro, each one loading an identical binary but from different locations. This file is saved as %TEMP%\biksenpd.exe and has a VirusTotal detection rate of 7/55.
According to various automated analysis tools, the sample doesn't seem to run properly [1] [2] [3] [4] but it looks like it tries to send traffic to the following IPs:
68.169.49.213 (Strategic Systems Consulting, US)
87.236.215.151 (OneGbits, Lithuania)
2.185.181.155 (ASDL Subscriber, Iran)
Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155
Wednesday, 24 June 2015
Malware spam: "Considerable law alternations" / "excerptum_from_the_implemented_rule.zip" / "Pamela Adams"
This fake legal spam comes with a malicious payload:
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.
Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35
MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations
Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above .
Pamela Adams
Chief accountant
In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55.
Automated analysis tools [1] [2] [3] show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55 - identical to the initial file) and qppwkce.exe (VT 3/55). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35
MD5s:
a85849c45667805231f2093e2eabe89d
e91e0424ac23193461c57ac1046e7dc1
Tuesday, 23 June 2015
Malware spam: "Hope this e-mail finds You well" / "Stacey Grimly"
This spam comes with a malicious attachment:
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.
Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:
104.174.123.66 (Time Warner Cable, US)
The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66
MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816
Date: 23 June 2015 at 14:14Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
Subject: Hope this e-mail finds You well
Good day!
Hope this e-mail finds You well.
Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
Stacey Grimly,
Project Manager
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually match the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters.
Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52 or 3/54. Automated analysis tools [1] [2] [3] indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
These two Malwr reports [1] [2] show dropped files named yaxkodila.exe (two versions, VT 5/54 and 5/55) plus a file jieduk.exe (VT 8/54). Incidentally, the VirusTotal analysis also throws up another IP address of:
104.174.123.66 (Time Warner Cable, US)
The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66
MD5s:
67f05372a34534c5892defb29ba8ead7
267e23f6430999f4b71a074835f19fb2
cebf89f088458f3e89599ae44d03cddf
cfdcb1cbe8983707287be4a03cdb88b4
880ba84222524510c9fe3b3d80429816
Monday, 22 June 2015
Malware spam: "Tax inspection notification" / "tax_663-20845-0479-435.zip size=18288.zipsize=18288"
This fake tax notification comes with a malicious payload.
Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.
This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).
Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177
MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0
Date: 22 June 2015 at 19:10
Subject: Tax inspection notification
Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor
Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57.
This Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http://93.93.194.202:13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today and it belongs to Orion Telekom in Serbia. This VirusTotal report also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report also shows traffic to 37.57.144.177 (Triolan, Ukraine).
Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57] and sveezback.exe [VT 15/57]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177
MD5s:
394c56133b323ce3bf038cfc7a00562a
4e9fec8e532664672bd3a022f4f0b4ec
14b8a0f6a9258f9e73f63a4269641ca0
Malware spam: "Shareholder alert" / "instructions.zip size=21154.zipsize=21154"
This fake financial spam comes with a malicious attachment:
The Malwr report indicates network traffic to:
http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK
93.93.194.202 is Orion Telekom in Serbia.
It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.
The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.
Recommended blocklist:
64.111.36.35
93.93.194.202
MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3
Date: 22 June 2015 at 13:07Attached is a mis-named ZIP file called instructions.zip size=21154.zipsize=21154 containing a malicious executable instructions_document.exe which has a VirusTotal detection rate of 1/56.
Subject: Shareholder alert
Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to resolution of the Board of Directors. Please see attached. Glen McCoy, Partner
The Malwr report indicates network traffic to:
http://93.93.194.202:13227/212/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http://93.93.194.202:13227/212/HOME/41/5/1/ELHBEDIBEHGBEHK
93.93.194.202 is Orion Telekom in Serbia.
It also drops an executable xiroukiqa.exe with a detection rate of 5/56 and vusjeson.exe with a detection rate of 4/57. The VirusTotal report for the last binary also shows traffic to 64.111.36.35 ( Midwest Data Center, US), which is clearly malicious according to VirusTotal.
The characteristics of this malware indicate the Upatre download leading to the Dyre banking trojan.
Recommended blocklist:
64.111.36.35
93.93.194.202
MD5s:
058216b2635e9c48c22eda6f9b7c83b5
6b2858d4452d97992ab78fd228c3970d
da53e58da4778515d22a96968766c3e3
Friday, 19 June 2015
Malware spam: "New instructions" / "instructions_document.exe"
This rather terse spam comes with a malicious payload:
Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe.
The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57]. Automated analysis tools [1] [2] [3] [4] show traffic to:
93.93.194.202:13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID
which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33:443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection.
In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33
MD5s:
329a2254cf4c110f3097aafdaa50c82a
From: tim [tim@thramb.com]
Date: 19 June 2015 at 16:40
Subject: New instructions
New instructions payment of US banks, ask to read
Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe.
The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57]. Automated analysis tools [1] [2] [3] [4] show traffic to:
93.93.194.202:13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID
which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33:443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection.
In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33
MD5s:
329a2254cf4c110f3097aafdaa50c82a
Thursday, 18 June 2015
Malware spam: "NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693" / "sac.contact4e74974737@bol.com.br"
These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.
The reference numbers and sender change slightly in each version.
I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.
The Malwr report indicates that it downloads components from the following locations:
http://donwup2015.com.br/arq/point.php
http://tynly2015.com.br/upt/ext.zlib
The Hybrid Analysis report also has some other details.
These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be blocked.
Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.
Recommended blocklist:
108.167.188.249
187.17.111.104
MD5s:
71070bc5e6b5c03c2e1d1ef4563c7b94
b969376c85d4e7f1a94ca3a2e416792e
From: sac.contact4e74974737@bol.com.br
To: mariomarinho@uol.com.br
Date: 18 June 2015 at 08:46
Subject: NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by: bol.com.br
Olá.
Estamos encaminhando o LINK para download da nota fiscal eletrônica.
https://cfb53a79c1679ed75e40a391fa21b9b359784781.googledrive.com/host/[redacted]
Caso tenha alguns dos dados errados favor nos retorne no email nfe@jmcomercio.com.br.
ATT, DANI AIRES DP.FINANCEIRO
18/06/15 :
04:46:18.161 :
''8636055042''WTg9R9cng3hYUD''RYkSkcFpJs''
Por favor, não "responda" esta mensagem.
The reference numbers and sender change slightly in each version.
I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.
The Malwr report indicates that it downloads components from the following locations:
http://donwup2015.com.br/arq/point.php
http://tynly2015.com.br/upt/ext.zlib
The Hybrid Analysis report also has some other details.
These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be blocked.
Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.
Recommended blocklist:
108.167.188.249
187.17.111.104
MD5s:
71070bc5e6b5c03c2e1d1ef4563c7b94
b969376c85d4e7f1a94ca3a2e416792e
Labels:
Brazil,
Google Drive,
Malware,
Spam,
Viruses
Monday, 15 June 2015
Malware spam: "[Nyfast] Payment accepted" / "Nyfast [mailto:sales@nyfast.com]"
From: Nyfast [mailto:sales@nyfast.com]Attached is a Word document with a malicious macro, named 29172230_15.06.15.doc. The payload is the same as the one found in this earlier spam run.
Sent: Monday, June 15, 2015 11:47 AM
Subject: [Nyfast] Payment accepted
Hi ,
Thank you for shopping with Nyfast!
Order ZUJIEQGQV - Payment processedYour payment for order with the reference ZUJIEQGQV was successfully processed. You can review your order and download your invoice from the "Order history" section of your customer account by clicking "My account" on our shop. If you have a guest account, you can follow your order via the "Guest Tracking" section on our shop. Nyfast powered by PrestaShop™
Malware spam: "New Doc" / "Will Kinghan [WKinghan@hhf.uk.com]"
This spam does not come from Henry Howard Finance, but is instead a simple forgery with a malicious attachment.
From: Will Kinghan [WKinghan@hhf.uk.com]Attached is a Word document New doc.doc which contains a malicious macro. It is the same payload as seen in this other spam run earlier today.
Date: 15 June 2015 at 12:09
Subject: New Doc
Hello,My apologies again.Document attachedWillWith kind regards,Will KinghanAccount ManagerT: 01633 415235 |M: 07468723790| E: wkinghan@hhf.uk.comwww.henryhowardfinance.co.ukThe information in or attached to this email is confidential and may be legally privileged. If you are not the intended recipient of this message any use, disclosure, copying, distribution or any action taken in reliance on it is prohibited and may be unlawful. If you have received this message in error, please notify the sender immediately by return email or by telephone on 01633 415222 and delete this message and any copies from your computer and network. Henry Howard Finance plc. do not warrant this email and any attachments are free from viruses and accepts no liability for any loss resulting from infected email transmissions. Henry Howard Finance plc. reserve the right to monitor all e-mail communications through its networks. Please note that any views expressed in this email may be those of the originator and do not necessarily reflect those of Henry Howard Finance plc. registered in Wales, Company no. 40151132 has registered offices at Unit 5 Langstone Business Village, Langstone Park, Newport, NP18 2LH, VAT no. 753461724. Henry Howard Finance Plc is Authorised by the Financial Conduct Authority (FCA)
Head Office
T: 01633 415222 | F: 01633 415223
Unit 5 | Langstone Business Village | Langstone Park | Langstone | Newport | Gwent | NP18 2LH
Malware spam: "Payment Confirmation 29172230" / "reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]"
This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:
http://www.freewebstuff.be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10
MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a
From: reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230
Dear Sirs,
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
Kind Regards
Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@reed.co.uk
http://www.freewebstuff.be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10
MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a
Thursday, 11 June 2015
Pump and Dump: "Go buy DJRT right now" / Dale Jarrett Racing Adventure Inc
This illegal Pump and Dump spam is pushing stocks in Dale Jarrett Racing Adventure Inc (DJRT):
The email is almost definitely nothing to do with pennystockcrew.com but is instead being spammed out by a criminally-controlled botnet.
DJRT is a loss-making stock which probably doesn't have good prospects according to it's own SEC filing.
The P&D spam started on 10th June, and we can see from the trading data that somebody bought 1.8 million shares just before the spam run started [via]
This activity pushed the stock price up from 1.3 cents to nearly 5 cents. In recent years stocks have never traded particularly highly, but they recent dropped to the 1 cent area after trading from 2 to 5 cents.
Usually with a pump-and-dump spam such as this, it is either the spammers who are trying to manipulate the share price, or a stock holder seeking to boost the value of the shares so they can sell them. I have no evidence at all that anyone connected with Dale Jarrett Racing Adventure Inc has anything to do with this.
Typically, stocks promoted through P&D spams such as this will collapse after the spamming has finished, leaving investors out of pocket. Often the companies are on the verge of bankruptcy anyway, so investors sometimes lose everything. This too is likely to be a poor investment. Avoid.
From: PennyStockCrew [info@pennystockcrew.com]
Date: 10 June 2015 at 10:18
Subject: Go buy DJRT right now!
Dear Traders,
Our alert DJRT is doing so amazing that you are probably regretting you didn't buy it yet.
I'll tell you this point blank. If you didn't buy DJRT you are an idiot. Take 1 or 2k and go buy it right this second because it is going to go absolutely ballistic.
DJRT is the stock of the minute, of the hour, of the moment and my stock pick of the year!
GO buy DJRT right now and watch it kick past 10 dollars in a heartbeat.
You are signed up to my alerts at www.pennystockcrew.com
Thank you for being a loyal member.
Sincerely yours,
Penny Stock Crew | info@pennystockcrew.com | Michael Killian | PO Box 110226 | Nutley, NJ 07110
The email is almost definitely nothing to do with pennystockcrew.com but is instead being spammed out by a criminally-controlled botnet.
DJRT is a loss-making stock which probably doesn't have good prospects according to it's own SEC filing.
The P&D spam started on 10th June, and we can see from the trading data that somebody bought 1.8 million shares just before the spam run started [via]
|
Usually with a pump-and-dump spam such as this, it is either the spammers who are trying to manipulate the share price, or a stock holder seeking to boost the value of the shares so they can sell them. I have no evidence at all that anyone connected with Dale Jarrett Racing Adventure Inc has anything to do with this.
Typically, stocks promoted through P&D spams such as this will collapse after the spamming has finished, leaving investors out of pocket. Often the companies are on the verge of bankruptcy anyway, so investors sometimes lose everything. This too is likely to be a poor investment. Avoid.
Labels:
Pump and Dump,
Spam
Phish: "New_Order_#056253_Hf_Constructions" / "joseph.zhou@hong-kee.com"
I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters..
An examination of the underlying PDF file shows two URLs listed:
[donotclick]designaffair.com.my/js/jss/accesslogin.php
[donotclick]perm.ly/importers-buyers-exporters
In turn these redirect to:
[donotclick]megatrading.hol.es/order/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
[donotclick]tips-and-travel.com/~saulitoo/imgs/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:
[donotclick]guest.lifevericalls.xyz/outlandish_litigant_tuners_nudeness/03737928145651311
This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.
The "megatrading.hol.es" (hosted on 31.220.16.16 by Hostinger - VT report) landing page looks like a straightforward phish:
Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183
The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section.
From: Kang Li [mailto:joseph.zhou@hong-kee.com]
Sent: 10. juni 2015 09:35
Subject: New_Order_#056253_Hf_Constructions
Dear,
Please find attached our new order and send P/I against 50% advance payemnt
best regards
kang
An examination of the underlying PDF file shows two URLs listed:
[donotclick]designaffair.com.my/js/jss/accesslogin.php
[donotclick]perm.ly/importers-buyers-exporters
In turn these redirect to:
[donotclick]megatrading.hol.es/order/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
[donotclick]tips-and-travel.com/~saulitoo/imgs/0exbligh0bwwciagica8is0tw2lmielfidhdpia8ahrtbcbk/index.html
The second URL listed 404s, but the first one is active. According to the URLquery report, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page at:
[donotclick]guest.lifevericalls.xyz/outlandish_litigant_tuners_nudeness/03737928145651311
This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort.
The "megatrading.hol.es" (hosted on 31.220.16.16 by Hostinger - VT report) landing page looks like a straightforward phish:
Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct..
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183
Wednesday, 10 June 2015
Malware spam: "Hayley Sweeney [admins@bttcomms.com]" / "Your monthly BTT telephone bill"
This spam does not come from BTT Communications, but is instead a simple forgery with a malicious attachment:
http://www.jimaimracing.co.uk/64/11.exe
This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.
Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10
MD5s:
80e51715a4242d0d25668d499796b733
10e4291882e2d45a1a7a52e7d93a5579
53f8addb0e1734be13735e51332b2e90
From: Hayley Sweeney [admins@bttcomms.com]So far I have only seen one sample with an attachment Invoice_68362.doc which contains this malicious macro [pastebin] which downloads a malicious executable from:
Date: 10 June 2015 at 11:20
Subject: Your monthly BTT telephone bill
Please find attached your telephone bill for last month.
This message was sent automatically.
For any queries relating to this bill, please contact Customer Services on 01536 211100.
http://www.jimaimracing.co.uk/64/11.exe
This is saved as %TEMP%\birsafpc.exe and it has a VirusTotal detection rate of 6/57. Automated analysis tools show traffic to the following IPs:
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
This Malwr report also indicates that it drops a Dridex DLL with a detection rate of 7/57.
Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10
MD5s:
80e51715a4242d0d25668d499796b733
10e4291882e2d45a1a7a52e7d93a5579
53f8addb0e1734be13735e51332b2e90
Tuesday, 9 June 2015
Malware spam: "Password Confirmation [490192125626] T82"
This spam email message comes with a malicious attachment:
http://oakwindowsanddoors.com/42/11.exe
Incidentally, the macro contains a LOT of junk that appears to have been harvested from a Microsoft tutorial or something. The downloaded executable has a VirusTotal detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] indicate traffic to the following IPs:
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
31.186.99.250 (Selectel, Russia)
The Malwr report shows that it downloads a Dridex DLL with a detection rate of 3/57.
Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250
MD5s:
3a39074dd9095e0b436dcc9513a0408a
1994c977a4e6e6386e0ba17c0cffe5c9
2e5c33d8fdf22053cb3f49b200b35dc8
From: steve.tasker9791@thomashiggins.comSo far I have seen only a single example of this. Attached is a malicious Word document named 1913.doc [VT 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:
Date: 9 June 2015 at 10:41
Subject: Password Confirmation [490192125626] T82
Full document is attached
http://oakwindowsanddoors.com/42/11.exe
Incidentally, the macro contains a LOT of junk that appears to have been harvested from a Microsoft tutorial or something. The downloaded executable has a VirusTotal detection rate of 4/57 and automated analysis tools [1] [2] [3] [4] indicate traffic to the following IPs:
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
31.186.99.250 (Selectel, Russia)
The Malwr report shows that it downloads a Dridex DLL with a detection rate of 3/57.
Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250
MD5s:
3a39074dd9095e0b436dcc9513a0408a
1994c977a4e6e6386e0ba17c0cffe5c9
2e5c33d8fdf22053cb3f49b200b35dc8
Subscribe to:
Posts (Atom)