API tools faq
paste
Advertisement
Racco42

2016-11-25 Locky "Overdue Invoice"

Racco42
Nov 25th, 2016
2,413
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.79 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-25 #locky email phishing campaign "A/C xxxxxxxxx - Overdue Invoice"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------
  5. From: "TOLER, PATRICA" <PATRICA.TOLER@macmillan.com>
  6. To: [REDACTED]
  7. Subject: A/C 0000055725 - Overdue Invoice
  8. Date: Fri, 25 Nov 2016 01:13:05 +0200
  9.  
  10. Good Morning,
  11.  
  12. Please see attached invoice
  13.  
  14. The balance of 84.67 is overdue for payment, please can you confirm a payment date?
  15. Kind Regards,
  16.  
  17. PATRICA Wood on behalf of Gail Russell
  18. Credit Services
  19. Macmillan Distribution MDL
  20. Direct Line 0044 1256 302661
  21. Direct Fax 0044 1256 363223
  22. PATRICA.TOLER@macmillan.com
  23. http://www.macmillandistribution.co.uk
  24. ********************************************************************************
  25. DISCLAIMER: This e-mail is confidential and should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage mechanism. Neither Macmillan Publishers Limited nor Macmillan Publishers International Limited nor any of their agents accept liability for any statements made which are clearly the sender's own and not expressly made on behalf of Macmillan Publishers Limited or Macmillan Publishers International Limited or one of their agents.
  26. Please note that neither Macmillan Publishers Limited nor Macmillan Publishers International Limited nor any of their agents accept any responsibility for viruses that may be contained in this e-mail or its attachments and it is your responsibility to scan the e-mail and attachments (if any). No contracts may be concluded on behalf of Macmillan Publishers Limited or Macmillan Publishers International Limited or their agents by means of e-mail communication.
  27. Macmillan Publishers Limited. Registered in England and Wales with registered number 785998. Macmillan Publishers International Limited. Registered in England and Wales with registered number 02063302.=20
  28. Registered Office Brunel Road, Houndmills, Basingstoke RG21 6XS
  29. Pan Macmillan, Priddy and MDL are divisions of Macmillan Publishers International Limited.
  30. Macmillan Science and Education, Macmillan Science and Scholarly, Macmillan Education, Language Learning, Schools, Palgrave, Nature Publishing Group, Palgrave Macmillan, Macmillan Science Communications and Macmillan Medical Communications are divisions of Macmillan Publishers Limited.
  31. ********************************************************************************
  32.  
  33. Attachment: "Documents Requested.zip" -> KsLQFye3454.vbs
  34. ------------------------------------------------------------------------------------------------------------
  35. - sender differs between emails, but the email address is faked to come from @macmillan.com
  36. - subject is "A/C <9-10 digits> - Overdue Invoice"
  37. - attached file "Documents Requested.zip" contains file "<11 random chars>.vbs", a VBScript downloader
  38.  
  39. Download sites:
  40. http://easylation.com/8yneev
  41. http://medicariel.com/8yneev
  42. http://prongai.com/8yneev
  43. http://reginaautoauction.com/8yneev
  44. http://regionalclaimsrecovery.com/8yneev
  45. http://revecent.com/8yneev
  46. http://rgbserver.be/8yneev
  47. http://right-livelihoods.org/8yneev
  48. http://roadratroberts1.bravepages.com/8yneev
  49. http://roadtex.ro/8yneev
  50. http://rooana.com/8yneev
  51. http://room8008.com/8yneev
  52. http://ryrszs.com/8yneev
  53. http://saintsraw.com/8yneev
  54. http://sallymills.com/8yneev
  55. http://sandat-bali.com/8yneev
  56. http://satherm.pt/8yneev
  57. http://sayvir.com/8yneev
  58. http://secotral.fr/8yneev
  59. http://shenzhensh.com/8yneev
  60. http://shydnt.com/8yneev
  61. http://sienaert.org/8yneev
  62. http://signumtte.net/8yneev
  63. http://siken3d.com/8yneev
  64. http://simbasnacks.com/8yneev
  65. http://sineria.com/8yneev
  66. http://sinmotor.com/8yneev
  67. http://sipho.es/8yneev
  68. http://smartcandle.ie/8yneev
  69. http://square100.com/8yneev
  70. http://sreekrishnatemple.com/8yneev
  71. http://stamperia.pl/8yneev
  72. http://stevetoulch.com/8yneev
  73. http://stomatolog-implant.ro/8yneev
  74. http://sujiaotuoban.com/8yneev
  75. http://supplyglassess.com/8yneev
  76. http://swkitchens.com.au/8yneev
  77. http://tamsoon.net/8yneev
  78. http://tarasarl.com/8yneev
  79. http://tehrankhabar.ir/8yneev
  80. http://theoneworld.in/8yneev
  81. http://thoraxcenter.ru/8yneev
  82. http://topfs.ru/8yneev
  83. http://touchasoul.org/8yneev
  84. http://tranfield.me.uk/8yneev
  85. http://trikeneigh.net/8yneev
  86. http://unimarket.ch/8yneev
  87. http://union1.cn/8yneev
  88. http://vanaken.nu/8yneev
  89. http://velolenta.com/8yneev
  90. http://visona.pl/8yneev
  91. http://vkurorti.ru/8yneev
  92. http://www.tulplast.de/8yneev
  93.  
  94. Malware:
  95. - encoded on download, SHA256 267daeb2857ba1e05a6721bcaa99420ceeda8108cf6276b38707cc6bcc79a6c4, MD5 fef0805c912091d50991640da831ef81
  96. - decoded SHA256 87243b8832b685d6146c71c6558cfba59a761ecdd39d8d209968d44ea2fcecd7, MD5 79dc9200bdbeedeac2afb27ad8ff72fd
  97. - executed by "rundll32 %TEMP%\<filename>.552, asd"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!