Trickbot Via VBS Files Various Subjects And A Fake Flashplayer From Pastebin Adverts

This morning’s first Trickbot banking Trojan campaign comes in an email with varying subjects including

• paper
• doc
• scan
• invoice
• documents
• Scanned Document
• receipt
• order

They are all coming from random girls’ names at random email addresses

There is a zip attachment containing a VBS file

couple of examples: https://www.virustotal.com/en/file/5d6a5aed0b40512e7a94ae2905c6097e5b59a254f52074f8f2278a2d86c3bdad/analysis/1500545823/

https://www.virustotal.com/en/file/05e9e26f647fd9ee28aa96f876c794c95a7ee386dbba0679cd13145e2f1ffa74/analysis/1500543815/

https://www.virustotal.com/en/file/5d6a5aed0b40512e7a94ae2905c6097e5b59a254f52074f8f2278a2d86c3bdad/analysis/1500545823/

https://www.virustotal.com/en/file/ed84edaae560299d6c33b419a73118fccfe41d6a8917ec1b06071976c6fb379d/analysis/1500543639/

https://www.hybrid-analysis.com/sample/05e9e26f647fd9ee28aa96f876c794c95a7ee386dbba0679cd13145e2f1ffa74?environmentId=100

https://www.hybrid-analysis.com/sample/5d6a5aed0b40512e7a94ae2905c6097e5b59a254f52074f8f2278a2d86c3bdad?environmentId=100

Download sites found so far are listed on https://pastebin.com/MGAVB1uz Thanks to Racco42 Beware for some reason the Pastebin link is giving me diverts to a scumware site trying to download a fake Flashplayer hta file ( VirusTotal) ( Payload Security) https://uubeilisthoopla.net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html

which downloads https://uubeilisthoopla.net/85123457821940/1500548202679984/FlashPlayer.jse ( VirusTotal) ( Payload Security)

It must be an advert on Pastebin, but I don’t know which one. I had just left Pastebin open in the background while I was preparing this post and it keeps trying to divert to the scumware site. It doesn’t happen as soon as you visit, only after a couple of minutes