SHARE
TWEET

2016-12-02 Locky "Emailing: EPSxxxxxx"

Racco42 Dec 2nd, 2016 (edited) 241 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-02 #locky email phishing campaign "Emailing: EPS0000xxx"
  2.  
  3. Email sample:
  4. --------------------------------------------------------------------------------------------------------------
  5. From: "eli" <eli.spears@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Emailing: EPS0000697
  8. Date: Fri, 02 Dec 2016 18:20:30 +0530
  9.  
  10. Please find attachment.
  11.  
  12. ---
  13. This email has been checked for viruses by Avast antivirus software.
  14. https://www.avast.com/antivirus
  15.  
  16. Attachment: EPS0000697.docm
  17. --------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails, but the sender address is faked to be from recipient's domain
  19. - subject is "Emailing: EPS0000<1-3 digits>"
  20. - attached file "EPS0000<1-3 digits>.docm" is a Microsoft Word document with malicious macro that will download from
  21.  
  22. Download sites:
  23. http://puchipuchivirus.com/74t3nf4gv4
  24. http://rnaweb.nl/74t3nf4gv4
  25. http://seyahatdanismani.net/74t3nf4gv4
  26. http://shangtaomao.com/74t3nf4gv4
  27. http://sieuthicuadep.com/74t3nf4gv4
  28. http://silverhand.eu/74t3nf4gv4
  29. http://skladst.ru/74t3nf4gv4
  30. http://skpc.org.au/74t3nf4gv4
  31. http://smoki.neostrada.pl/74t3nf4gv4
  32. http://sobretesis.com/74t3nf4gv4
  33. http://solid-consulting.nl/74t3nf4gv4
  34. http://sorata.iweb.hu/74t3nf4gv4
  35. http://space4elephants.org/74t3nf4gv4
  36. http://spartech.pl/74t3nf4gv4
  37. http://speciaaldesign.nl/74t3nf4gv4
  38. http://sport-bike.pl/74t3nf4gv4
  39. http://sportwr1.pl/74t3nf4gv4
  40. http://steamingaudio.myzen.co.uk/74t3nf4gv4
  41. http://storebet.ru/74t3nf4gv4
  42. http://subuys.com/74t3nf4gv4
  43. http://sudarsan.net/74t3nf4gv4
  44. http://sudeepgurtu.com/74t3nf4gv4
  45. http://syedtradingco.com/74t3nf4gv4
  46. http://syjcfw.com/74t3nf4gv4
  47. http://taikosushibar.com.br/74t3nf4gv4
  48. http://tandsmil.dk/74t3nf4gv4
  49. http://tansontravel.com/74t3nf4gv4
  50. http://taokefx.com/74t3nf4gv4
  51. http://tatooshsfds.com/74t3nf4gv4
  52. http://tbhomeinspection.com/74t3nf4gv4
  53. http://teknoportbilisim.com/74t3nf4gv4
  54. http://telasbellavista.cl/74t3nf4gv4
  55. http://thecodega.com/74t3nf4gv4
  56. http://thesalesmob.com/74t3nf4gv4
  57. http://thesprezzatura.com/74t3nf4gv4
  58. http://thesurfbreak.com/74t3nf4gv4
  59. http://threepoints.co.nz/74t3nf4gv4
  60. http://thxlove.com/74t3nf4gv4
  61. http://tidytrend.com/74t3nf4gv4
  62. http://tinybearshop.com/74t3nf4gv4
  63. http://tishana.es/74t3nf4gv4
  64. http://tobybender.com/74t3nf4gv4
  65. http://tollytalkies.com/74t3nf4gv4
  66. http://tomhermans.be/74t3nf4gv4
  67. http://translate-all.eu/74t3nf4gv4
  68. http://tribech.com/74t3nf4gv4
  69. http://tritel.com.my/74t3nf4gv4
  70. http://ttrutesheim.de/74t3nf4gv4
  71. http://usaegisgroup.com/74t3nf4gv4
  72. http://uytinviet.com/74t3nf4gv4
  73. http://vakiapaint.com.vn/74t3nf4gv4
  74. http://vazmaz.com/74t3nf4gv4
  75. http://vegasorder.com/74t3nf4gv4
  76. http://vvenusselection.es/74t3nf4gv4
  77. http://vertimex.ro/74t3nf4gv4
  78. http://villaphenomena.com/74t3nf4gv4
  79. http://vipgwj.com/74t3nf4gv4
  80. http://vipseal.de/74t3nf4gv4
  81. http://viviendadelrincon.com/74t3nf4gv4
  82.  
  83. UPDATED:
  84. ralphkunze.de/74t3nf4gv4
  85. raovat4u.com/74t3nf4gv4
  86. rhinohosts.com/74t3nf4gv4
  87. sid.com.hk/74t3nf4gv4
  88. slagelse-maskinforretning.dk/74t3nf4gv4
  89. snt34.fr/74t3nf4gv4
  90. sokenthai.com/74t3nf4gv4
  91. solmachine.cl/74t3nf4gv4
  92. sonunda.biz/74t3nf4gv4
  93. soulson.de/74t3nf4gv4
  94. sozgroup.com/74t3nf4gv4
  95. spoiltgirlsclub.com/74t3nf4gv4
  96. ssrips.com/74t3nf4gv4
  97. stjohns2012.ca/74t3nf4gv4
  98. swivelsrus.com/74t3nf4gv4
  99. taghdis.ir/74t3nf4gv4
  100. techpow.net/74t3nf4gv4
  101. theory.issp.ac.cn/74t3nf4gv4
  102. tiffeat.com/74t3nf4gv4
  103. torbellon.com/74t3nf4gv4
  104. trackdayphotography.co.uk/74t3nf4gv4
  105. trehoada.org/74t3nf4gv4
  106. trendsandtrades.nl/74t3nf4gv4
  107. trilab.sk/74t3nf4gv4
  108. tt-comp.ru/74t3nf4gv4
  109. ttvtelecom.vn/74t3nf4gv4
  110. u-flats.com/74t3nf4gv4
  111. v4c.tv/74t3nf4gv4
  112. veredictofutbol.com/74t3nf4gv4
  113. vertex-shop.ru/74t3nf4gv4
  114. viacon.lt/74t3nf4gv4
  115. vichycoconutoil.com/74t3nf4gv4
  116. villa31.com/74t3nf4gv4
  117. vioozmovies.net/74t3nf4gv4
  118. virtuapoint.com/74t3nf4gv4
  119. vkd.asia/74t3nf4gv4
  120.  
  121. Malware:
  122. - encoded on download SHA256 3a47529ce9871c0b74c724b4ec4ee4986ae3bbbcbe62a8273291f134498c02e0, MD5 e7dce422e0fc509ef7f6c3e94a2e70b6
  123. - decoded SHA256 6292c2b85b29c9dc019f731f7f2ab488876a15b49d71444f075f87712107a7fa, MD5 7e46c1d13c4ac408ef49646be8b4eab0
  124. - executed by "rundll32.exe %TEMP%\<dll_name>,phone"
  125. - sample: https://www.reverse.it/sample/5741c2ed76233840094e4f0248cc69d6e8a45fee36533f9a3400395ed25aecba?environmentId=100
  126.  
  127. C2:
  128. POST http://195.19.192.99:80/information.cg
  129. POST http://91.142.90.61:80/information.cgi
  130. POST http://69.195.129.70:80/information.cgi
  131. jehehrngyoenjh.org
  132. tcskreweaeutgxu.pl
  133. hdgpfnmathnp.org
  134. bkclkuoxuwnfxo.work
  135. dxbwjnbalejcuaht.ru
  136. qcynnhb.ru
  137. csmyyfebowkvjxm.biz
  138. assxnyqmrtmiwnvqd.su
  139. bvaclaneoelbnk.pw
  140. thcoknhraephkxgi.su
  141. lquuqkf.org
RAW Paste Data
Top