Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-10-03: #locky email phishing campaign "INVOICE"
- Email samples:
- --------------------------------------------------------------------------------------------------------------------------
- From: Ward Siddons <sales@[REDACTED]>
- To: [REDACTED]
- Subject: INVOICE
- Date: Tue, 03 Oct 2017 11:56:59 +0200
- Dear Sir,
- PLEAS FIND ATTACHED YOUR INVOICE AS REQUESTED.
- Thank you and Kind regard's
- *Ward*
- Attached: A_7643046228.7z -> 40d9e8b2-23ae-4ff0-9b31-f76ec9cedefa.js
- --------------------------------------------------------------------------------------------------------------------------
- - sender address is forged to look like coming from sales@<recipient domain>
- - subject is INVOICE
- - attached file "A_<8-12 digits>.7z contains file "<8 hexa chars>-<4 hexa chars>-<4 hexa chars>-<4 hexa chars>-<12 hexa chars>.js", a JScript downloader which will download malware from:
- Download sites:
- http://3overpar.com/jhgf54y6
- http://arkberg-design.fi/jhgf54y6
- http://basedow-bilder.de/jhgf54y6
- http://bibtic.net/jhgf54y6
- http://bridleridgehorses.com/jhgf54y6
- http://charter-base.de/jhgf54y6
- http://crack-attack.net/jhgf54y6
- http://embutidosanezcar.com/jhgf54y6
- http://enixgaming.de/jhgf54y6
- http://fbl.com.sg/jhgf54y6
- http://holmac.co.nz/jhgf54y6
- http://jtpsolutions.com.au/jhgf54y6
- http://kitami-ansin.com/jhgf54y6
- http://peopleiknow.org/jhgf54y6
- http://pesonamas.co.id/jhgf54y6
- http://stemcellenhancementresearch.com/jhgf54y6
- Malware:
- - locky ransomware, offline ykcol variant
- - SHA256: 70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3, MD5: cf92bea857aea977023ad61ec6b6c980
- - VT: https://www.virustotal.com/#/file/70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3/detection
- - HA: https://www.reverse.it/sample/70d06bd4e6a91b60bc8515e327fa1f9fb7ac82125e3c8a06359b5bb3f96e48f3?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement