API tools faq
paste
Racco42

2016-11-28 Locky "Urgent Alert"

Racco42
Nov 28th, 2016
1,636
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.93 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-28 #locky email phisshing campaign "Urgent Alert"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------
  5. From: "Lucille Munoz" <Munoz.Lucille@airtelbroadband.in>
  6. To: [REDACTED]
  7. Subject: Urgent Alert
  8. Date: Mon, 28 Nov 2016 15:09:35 +0530
  9.  
  10. Dear [REDACTED], we have detected a suspicious money ATM withdrawal from your card.
  11. For your security, we have temporarily blocked the card.
  12. All the details are in the attachment. Please open it when possible.
  13.  
  14. Attachment: ATM_[REDACTED].zip -> HQ42vm3d.js
  15. -----------------------------------------------------------------------------------------------------------
  16. - sender varies between emails
  17. - subject is "Urgent Alert"
  18. - attached file "ATM_<recipient name>.zip" contains file "HQ<6-10 random lowercase chars and digits>.js", a JScript downloader
  19.  
  20. Download sites:
  21. http://cadgewigan.net/1l7zisxsqy
  22. http://cadgewigan.net/b6ib4i
  23. http://cadgewigan.net/lcbjuhbkz
  24. http://cadgewigan.net/oakdsrzi9
  25. http://ChinaFireExpo.com/ek0rmfs
  26. http://dodowiz.com/6udquj
  27. http://dodowiz.com/if0buyzso
  28. http://dodowiz.com/ynux4ac
  29. http://firstscog.net/2hd0sxoga
  30. http://firstscog.net/fygmen86lq
  31. http://firstscog.net/gitra3
  32. http://firstscog.net/llag3hkx
  33. http://holzschnitzereibinder.de/lajqgm3
  34. http://huishow.net/oqk0cd08k
  35. http://imagine-hawaii.com/o5jjsbx
  36. http://innogenap.com/epn3r
  37. http://irenta.lt/6bmqpuxc
  38. http://isidore.be/hbxieu
  39. http://itemweb.fr/38r7hzts4i
  40. http://jawar.eu/kysr5c
  41. http://jobgroup.it/078cprm
  42. http://kaozheng.info/9plkidz
  43. http://kiminsitesi.com/lxmub7y
  44. http://kitapportal.com/mqtc8rbu
  45. http://koguciuk.pl/d8usfpameg
  46. http://kuszowka.pl/bumq1
  47. http://kwlbroadcast.com/ok9mnd
  48. http://lecengwang.com/0r5lbas0
  49. http://lejiasheji.com/bqlwk
  50. http://lojaodaconstrucao.com/nrospop86
  51. http://loraycomunicaciones.com.ar/ib5ai
  52. http://lordalexleon.com/a6tqjgygw
  53. http://lv-nexis.com/fy1hxzmxi
  54. http://mainlandfishfarm.com/ms21hvyw
  55. http://mainlinecarriers.co.tz/fs8eet
  56. http://mainsl.es/mqhr0
  57. http://maximumauction.com/2httguh
  58. http://mib.tn/3vn98emgio
  59. http://milliner.ca/lpaeibpto
  60. http://mingxingjx.com/dawbvh
  61. http://misaho.com.ar/pklixzxgib
  62. http://mizhibuluo.com/kpgv0nhtm
  63. http://modepiraten.com/fka7stw
  64. http://momsonlymall.com/mhqqngfd
  65. http://moni.sk/ekbmt3kmg
  66. http://moymir58.ru/ga2qrlipnc
  67. http://m.sxbdf.com/vebwdlh
  68. http://myphychoice.com/8m97wj
  69. http://ruf.com.ar/txmlj
  70. http://sam31.ru/3nrlin9xlc
  71. http://sandiegoblindandshade.com/refzmrf
  72. http://satiliksanat.com/v5nvkwd7
  73. http://sexexpo.ro/q1tdahxd
  74. http://sinklinga.com/grdjik
  75. http://sinklinga.com/ihydkc
  76. http://sinklinga.com/s0iuo7f
  77. http://sinklinga.com/yuhkri
  78. http://statikwerk.de/pqkdqpo
  79. http://stazilivio.it/xtyl9ho5yc
  80. http://stellaar.com/xbxac4
  81. http://stream-renshosting.tk/unlx2
  82. http://taotao500.cn/x73qbgv
  83. http://trinechina.com/weqblvlv
  84. http://TruePublish.de/ps8w8kqy
  85. http://unykmodels.com/vpjuwe
  86. http://wavearni.com/ad0pqg
  87. http://wavearni.com/p0awxfblau
  88. http://wavearni.com/wifloy2heg
  89. http://wavearni.com/zumq01
  90. http://www.iweiboclub.com/jgymxjkydu
  91.  
  92. Malware:
  93. - encoded on download:
  94. e7e658b067021ea39fb20888d94d18253eb8e0e80c79f3a8a125b1877c959a5f http___cadgewigan.net_1l7zisxsqy
  95. 3d736015c7adf4c33f6c8cb5751373c4d5b0dac180a1ca099f2414e6c9b3cbc0 http___cadgewigan.net_b6ib4i
  96. 02a18f0a5752df8d7e79c2ea6cd1562de56ea362364c4e2d5cd3d00465e5ce12 http___cadgewigan.net_lcbjuhbkz
  97. 0b123c2086825b272fca0e834179a5e836682c7a704a16b1ab9acc8e8fc043d3 http___cadgewigan.net_oakdsrzi9
  98. dc3e3c621488f9eddf199ff6a93dda9146577b8dd463d92d32af4d07b6d9faea http___dodowiz.com_6udquj
  99. 20da7c1d48ecab12254292b967596be875281463f919737ab49c3c27591bea8a http___dodowiz.com_if0buyzso
  100. f3b8ddea03fb9f74d7cea59fd5dcaab0acfa4fd7f63c7bc4f5ebb5b677186d89 http___dodowiz.com_ynux4ac
  101. e9c15577dbe0a24df02047659059c53ea3bfa0726d27dc483767641b7cc4ab45 http___firstscog.net_2hd0sxoga
  102. 02e6370023a1fccf030c3f44e01fe147488770a527335fd2abbf6e1569d06704 http___firstscog.net_fygmen86lq
  103. c39961cef76d12b37cf4a70431477a33d510541da7b781670de5909b82740493 http___firstscog.net_gitra3
  104. 70dd8d00024c9130c8c23c3c10b3ece8b0f79b2f04fe02ff68f55891750e09f8 http___firstscog.net_llag3hkx
  105. 2c74ed3ca40293db48e5112ff07dbf5ce43a1c9bf65d0333091c92d8ffbe35f1 http___holzschnitzereibinder.de_lajqgm3
  106. 194334156f4e373bd6caf117b330cbdae8f6420398f4373ffaecdc7f988a03d2 http___huishow.net_oqk0cd08k
  107. 737bf0d762b3882552668f2ddb056f43d7d6ae238e6050516e7cadb74d580ca1 http___imagine-hawaii.com_o5jjsbx
  108. ca2decf22618d16447e238db665ce0ca513e9d53194d0ea164a57524c828d3a5 http___innogenap.com_epn3r
  109. a2a0cb4a3de47f9c3bf36ab2c13e3ea3fd0f509dff41a4517e28a922a11bab22 http___isidore.be_hbxieu
  110. e3e0e811163ad64dce63a2ddbfdaa06638a27f73ff911604fa4aa637d53b0697 http___itemweb.fr_38r7hzts4i
  111. fdfd62d166f367725d398abd158ba4537379ba09d1b2d3b32f1c31fb99d5d867 http___jawar.eu_kysr5c
  112. d6d6327630f31c8f4383eb17c82355b8fd2e908dcef6512ff071945007ebc4a5 http___jobgroup.it_078cprm [1]
  113. c47d2f6f74978a51fac1ae0264a5ebd8b7266a51a264f987a5abef8b8dd43765 http___kaozheng.info_9plkidz
  114. 46c1ca99d3bc5a35c36839190ade2f832c3bb07e9dba50bbf1012d2b6fc7524f http___kiminsitesi.com_lxmub7y
  115. b09bc26e5e1130c17eadc21de4fddb6a0f641db1eee9855422289b499beff521 http___koguciuk.pl_d8usfpameg
  116. fcb1f40494d6227185b2c31eebcbdc4795a92422526d6c3e4c033faeec943cff http___kuszowka.pl_bumq1
  117. 19cbea5f4ae2d4cbadbacdf921e8c142a2dc8eea85c38035fabd12f9094b3c5e http___kwlbroadcast.com_ok9mnd
  118. 27e5fdd752bce8e30ec313e07c8edc16b95d3afc3e70cbe7c12a961f595755f2 http___lecengwang.com_0r5lbas0 [4]
  119. dd1d4173eddd03de5231310fed285ab552b334011ea0e594797eac15d9c4309a http___lejiasheji.com_bqlwk
  120. 48e65de019ea6ebff06140867471d28617852303b0f3c5e9ce93ce51d4f2fe3a http___lojaodaconstrucao.com_nrospop86
  121. fa4a8dd40ef2e2600b4eb0e6c4a018304d200ae282046d1506f0782069beecba http___loraycomunicaciones.com.ar_ib5ai
  122. 49dadae71947566f037bdb413b3f7525b1ed70e267a938f4682d68c3e5bd7c15 http___lordalexleon.com_a6tqjgygw
  123. 42d0b31e66003149e78ea46f2bb87ab8eba9189b32311464ca41bcfa25d60e4b http___lv-nexis.com_fy1hxzmxi
  124. 17a50c6768fc2213cf4496e245dea3cf47c33300f48834ad4ed5a1232c0ffeae http___mainlandfishfarm.com_ms21hvyw
  125. 593985bf571f43749592c097e9ed8ddba629476301d83a6fd3b84230dfb32ba5 http___mainlinecarriers.co.tz_fs8eet
  126. fb5f3ca2008c5b5f65dd6bc9e6c0aed7b3e610cc975be7efdcc918a717e2b061 http___mainsl.es_mqhr0
  127. 10a46166a61d74e120fc6d38939ea1f328d16d20fdaeb36866e492c89091c033 http___maximumauction.com_2httguh
  128. ed5cc9fd91a8529bdcd16e85f1148f6f0a57264be84637eaf023a4b74d59c4ee http___mib.tn_3vn98emgio
  129. afa8b27728617e0792d913a97cc9540cdb250e2a3d9739ccb89e19543b276687 http___milliner.ca_lpaeibpto
  130. e01aa7b517161082ec25af35d8a61768df7348a38e98df1f24b7b83d17ca4416 http___mingxingjx.com_dawbvh
  131. 69afc17d4d36bb735b93f7f0f4d0142685563cb28fe729bdc87b3dbcd576d068 http___misaho.com.ar_pklixzxgib
  132. e47503c9a4d0ec12ca92c322de9ea480a63e027522444ea238d70c3a1dbe09da http___mizhibuluo.com_kpgv0nhtm
  133. ce4a60864bc5dcff3673d4386de36969eb2845c1c514aadb42e9c6aec8dd62a1 http___momsonlymall.com_mhqqngfd
  134. f0ee7b250984f28fc85c826fbabf3270a3486cee28b79b07fdc740508dd5374d http___moni.sk_ekbmt3kmg
  135. d1c173e4cc61de5b9d5309f2443edcf73d065ea1bfa51a1dfbbf15e581e8bdbd http___moymir58.ru_ga2qrlipnc
  136. 04a5c2eee4e965a6a646cafcc229c3935f1bb5d863b425812ec5c7d1ca6eda48 http___myphychoice.com_8m97wj
  137. 8778821311c11a5b04b8cf81e150178f1b5f6b814f97ff5225d798b392eb0380 http___ruf.com.ar_txmlj
  138. 4db8685cbefceaab089cd8c8453eca6fe2c104688a1ddbdfae3df13065404574 http___sandiegoblindandshade.com_refzmrf
  139. 440bbe9191e4d513fe8b8c37e2e6f0fde9e491241c2a35cb6b8ffdea425bfaab http___satiliksanat.com_v5nvkwd7
  140. d58a44635df8077524bc3b337c3702aca3b30b8589092ea5d57be15dc3897078 http___sexexpo.ro_q1tdahxd
  141. 16e002e7d94d041c69db6342737fc7d258aea42e30dd5616ab0b9b8f3d113ce0 http___sinklinga.com_grdjik
  142. 95b1d191375e36d3118488a1b3c329817068e56b968f111799a245d5ec2677ec http___sinklinga.com_ihydkc
  143. 100049e51a2d73fdfde2ba592c6d31482a58a514d432e2090fa0dd5527ea01b6 http___sinklinga.com_s0iuo7f
  144. b75c4c13ba9d13b7b3fbb517b034173f59e762d574001bf3f81985b324606192 http___sinklinga.com_yuhkri
  145. 953e0053f4bcc7ee175be4a8775c45c8c00ba9ec73c226d6222f50d5f2a2c0ea http___statikwerk.de_pqkdqpo
  146. 40fc74e52625e278e706138724fc22cb220fc01cbf6716014c8f83f747554a9e http___stellaar.com_xbxac4
  147. 180fb109cf7b8bff97567e82ee484acfe5a06480d45916fce948742ca4a5532b http___stream-renshosting.tk_unlx2 [2]
  148. ccf7bed5018fdb779131493e68fe68f028c612c9ff569f7ca1042fd692f4416e http___trinechina.com_weqblvlv
  149. fce8a2f19e117f24c772bf93bf4d3d634836308f89654a329648625820c19352 http___TruePublish.de_ps8w8kqy
  150. cfa8ee4dd53166ade12696bd54f11e13a5eefc2c6b004c9de02c5ce488e71e3d http___unykmodels.com_vpjuwe
  151. 03ba17ea42afe1d3d703aab3e5a8e95946e8f7b3445f0a2356008218bcc2dfbb http___wavearni.com_ad0pqg
  152. 9e401f9dccb1b0b8337091ca309c4e978912e4c9f4892c5a960c7e0b3ed51682 http___wavearni.com_p0awxfblau [3]
  153. 602d6ec82fe84a5f63202a5208be3b8d3331aeb42f6f4c5a6a12e007dbd5069e http___wavearni.com_wifloy2heg
  154. 85a27eec502e5a0f3384eff7286a4056fda0bd2473c24cb4d4b0b8dcdfcb280f http___wavearni.com_zumq01
  155. 90e111b9ba5c3cb43e134027f38c8803161c9f8c86355a7e1b7d378966c6e21c http___www.iweiboclub.com_jgymxjkydu
  156. - decoded
  157. 6447983ed1a28d709c1322e88f42a6824357feabfb1e4a788a53e1cb78a9debf [1]
  158. 45d0060c79073680e5404e41c0b32826d43616a6df19ce21aaaf793dd7fb686c [2]
  159. f0b53712738e21470ee16bef546718c9aca0cbd492d55677e30cab07c7ef6699 [3]
  160. 55eef02bd845e680ae6a536b9a207e34558bc6f93eeb1e1b2edfd9f43b796e2b [4]
  161. - executed by "rundll32.exe %TEMP%\<filename>.tdl,XXvyHp3iGz5U"
  162.  
  163. C2:
  164. POST http://185.146.171.180/information.cgi
  165. POST http://213.32.66.16/information.cgi
  166. POST http://91.201.42.83/information.cgi
  167. POST http://aqywxbydjguf.pw/information.cgi
  168. POST http://bmcessbokus.work/information.cgi
  169. POST http://cooqhqljudfgoann.org/information.cgi
  170. POST http://jtkvngdpkvvuw.pl/information.cgi
  171. POST http://kllnmybclxvwyysi.ru/information.cgi
  172. POST http://ledyury.info/information.cgi
  173. POST http://ninqnfurim.pl/information.cgi
  174. POST http://qxtbmraigtiecy.info/information.cgi
  175. POST http://rldtmruliuen.work/information.cgi
  176. POST http://tsushhwhfe.biz/information.cgi
  177. POST http://wboxusonewxvl.info/information.cgi
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!