API tools faq
paste
Racco42

2016-09-30 Locky "Parcel details"

Racco42
Sep 30th, 2016
1,501
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.67 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-30 #locky email phishing campaign "Parcel details"
  2.  
  3. Email:
  4. ---------------------------------------------------------------------------------------------------
  5. From: "DHL" <Mejia.730@airtelbroadband.in>
  6. To: [REDACTED]
  7. Subject: Parcel details
  8. Date: 30 September 2016 at 11:35:11 BST
  9.  
  10. Dear [REDACTED],
  11.  
  12. We couldn't deliver your parcel on September 30th because we couldn't verify the given address.
  13. Attached is the shipment label. Please print it out to take the parcel from our office.
  14.  
  15. Best Wishes,
  16. Michelle Mejia
  17. DHL Express Service
  18.  
  19. Attachment: DHL_parcel_fe78efdfb.zip
  20. ---------------------------------------------------------------------------------------------------
  21. - sender varies between emails, but the display name is always "DHL"
  22. - subject is "Parcel details"
  23. - attached file "DHL_parcel_<random hexa chars>.zip" contains two files - a one-letter named junk file and "DHL parcel <random hexa>.wsf, a JScript downloader
  24.  
  25. Download sites:
  26. http://amsterdamrent.com/qgexy
  27. http://asotelepathology.org/ib9h5k8
  28. http://binhminh-group.com/igis2
  29. http://bushidotactical.com/rm7tnimd
  30. http://clsss.ru/gk3cgl
  31. http://discountghd.org/o86560
  32. http://drugvacoa.net/0r4xu
  33. http://drugvacoa.net/46om06m6
  34. http://drugvacoa.net/6n00x
  35. http://dvdzone24.com.au/dxat8
  36. http://ensaenerji.com/h5piv
  37. http://extramileteam.com/yow5y
  38. http://gesansow.net/4c59r
  39. http://gesansow.net/7kvi9e
  40. http://giaythethaonike.com/b467ji2u
  41. http://greenshootmedia.com/w1zanty
  42. http://iambestone.com/7q2jrq
  43. http://imagillaboration.org/lqqr8vss
  44. http://judgedeborahshallcross.com/wri2h09
  45. http://juleswham.com/8rsh6d6n
  46. http://juleswham.com/avprk
  47. http://karacanalbum.com/pr2tra
  48. http://komintern-online.com/mdwib
  49. http://minevitamin.com/evret5n
  50. http://networkthai.org/nfvtboe
  51. http://profsonstage.com/poy8oy3
  52. http://puchipuchivirus.com/vvkqo7
  53. http://purebanquet.com/ct00a
  54. http://relaywebsample.com/dusfk4hg
  55. http://sudep-registry.org/ekpsq
  56. http://techscape4.com/vc2lvvtt
  57. http://tpidbanjarmasin.org/yk1mo
  58. http://travelnesia.net/df30xpqx
  59. http://u2station.com/eilpcvif
  60. http://ubonria.com/b7s85nd
  61. http://unityquire.com/1nloic
  62. http://unityquire.com/480cxgc
  63. http://unityquire.com/6rz0s56
  64. http://unityquire.com/9s7ptf0b
  65. http://vonsky.com/yex94t
  66. http://welovekgc.com/djz2wr
  67.  
  68. UPDATED:
  69. http://altorelevo.net/oftup
  70. http://australiandesignerweddings.com/owe4q8
  71. http://bernardchandran.com/wkn6l
  72. http://drugvacoa.net/8uatxoua
  73. http://elmostashar.com/g9aduh
  74. http://endwithcare.org/ispuny
  75. http://fungasoap.net/y4nu4s
  76. http://gesansow.net/3i9wk
  77. http://gesansow.net/9wy2xdiq
  78. http://hotelikbej.pl/z9i76g
  79. http://iambestone.com/3r3mz
  80. http://iambestone.com/4gq9h
  81. http://iambestone.com/arh240
  82. http://ict-net.com/gf8rs4w
  83. http://juleswham.com/3w1m1
  84. http://juleswham.com/6glkp
  85. http://localxmobi.com/kvu30
  86. http://optimalpoland.pl/orzfhl
  87. http://room8008.com/g44ntci1
  88. http://sadek-music.com/x66g7y
  89. http://tpidbanjarmasin.org/yk1mo
  90. http://travelnesia.net/zue2i6
  91. http://vktechs.com/icmux
  92. http://wmunigeria.org/ycem6gq
  93.  
  94.  
  95. Malware:
  96. 749cfdab2a53980de71e8125c130aacde6e9073e44f6f9ddf9168986789cfc0e http___amsterdamrent.com_qgexy
  97. dbfbc6c24761882fa2c30bfb14f93d2206dd2ee7048d65b6e83541810d47b51c http___asotelepathology.org_ib9h5k8
  98. c8f009a6b069fcd9ae520722f08bd669dc63b119aedf4861344b583f6b96aff6 http___binhminh-group.com_igis2
  99. e2d8c8906fb328688a870da0b2660d8d8cbc3f535ec0c34367bddb507137b4c0 http___clsss.ru_gk3cgl
  100. cc6712277f481b32a04ba30c4092a95bfd34641b30bbc3247bc0aac369346ea4 http___discountghd.org_o86560 [3]
  101. 23358aaa803514455e112e7df77f3a089fbf248e46d145531929fdd6ce3db113 http___drugvacoa.net_0r4xu
  102. 7db7c6e1661abdda2e9aba4869496b353181dae00dcaa3458fb0826e45973483 http___drugvacoa.net_46om06m6
  103. bf95fc6b56d9a314e5026f0bbd408898147cbe2e21e2037f398eda6f051ada77 http___drugvacoa.net_6n00x
  104. ebaa96dd0113bca226151d92db1fc3424d342b3de04394a64d3616c94768e93d http___ensaenerji.com_h5piv
  105. 142b23b15bade1dd2480547db7ab817c3bae1f730d685e935cee57550ab8c025 http___extramileteam.com_yow5y
  106. 34fe65d5782e6b5152930f4bbae1c5c2b2e982db3aa0e5a5ff5493ad2870c988 http___gesansow.net_4c59r
  107. c8810028a191985efa547f25a195ec935c5d10ef50cccd37682ded69b57e658a http___gesansow.net_7kvi9e
  108. a7b84724958429816cf961c431f2dacd2510481c4a8999b0e49d33769a6245e3 http___giaythethaonike.com_b467ji2u
  109. 217ed6b3382a8bbbf0b9650ed63ec729fdafd2fafacee7c1fc667f3a0dfa72d5 http___greenshootmedia.com_w1zanty
  110. be2f7fb68ebe98b29c56f3d3da9cba89c35c72252d635dc94075a0f97044ac5f http___iambestone.com_7q2jrq
  111. b44669a1bbfd5790d4018fc5c85b2b37350a5c13caac0b47c2095856058cad8d http___judgedeborahshallcross.com_wri2h09
  112. d38ec37490edadbf293680037fba53ac218190cbf9cac973a3d952ca49eceecf http___juleswham.com_8rsh6d6n
  113. 9c7c6adb2914350d89a9f6be375b77b39cf58f50e1d9d97b0f31684346ce06d6 http___juleswham.com_avprk
  114. 3500e47b738e67b8af473f2cdfcabd178a58e8e7b2d92b54b3eb5fbd10a80592 http___karacanalbum.com_pr2tra
  115. b3989814f52d8e90aeba84a0598f98f004301304562efd90078093d6d48d9598 http___komintern-online.com_mdwib
  116. 57a621ec5117cd1af6d261e07dce39cac0cc01b8dab148c5ad67f93360629af2 http___minevitamin.com_evret5n
  117. 510b8df01b9b9c0231b2ab00e625915c731b0976db0b888647a312f36a84516a http___networkthai.org_nfvtboe
  118. c1fd9a1ae9c80eb7146c78d8cd6343a3f701fa7d9ff8a14a39bcad75b9c52f0b http___profsonstage.com_poy8oy3
  119. 01ccd671d9c8f134b74f03bea6305b4dd37e03d9d29b9d803c35ff87ba2f76c6 http___puchipuchivirus.com_vvkqo7
  120. cc8b6d088638a9c4d60ab52a4d05d7f11029506cfa59128b2973941e14c272ee http___purebanquet.com_ct00a
  121. 5909e3edda166ddae0dec54827560bf0faeeaf38370f367b304d6ab53b31bfce http___relaywebsample.com_dusfk4hg
  122. 443942b763e1cd560f7d368b3759aeba0cd84f303c863cef492b92b2433f27ee http___sudep-registry.org_ekpsq
  123. 694e318077e7f0642b95f3807c3249ee2bf85d7265650d9c12db42695e9a6d1a http___techscape4.com_vc2lvvtt
  124. 6a73cee561137fe1afa09fab8fc90ed06121ffa46ec0d46d4927c826363d705e http___travelnesia.net_df30xpqx
  125. 9378ebbd4a4b0f9d988155d84e8aac50d60bd025fe987bfc24a56d36fe5a3eed http___u2station.com_eilpcvif
  126. b120b271e801043cdfaba5a656efeedb94ff27bff6952f1aa92bc818e259d6c5 http___unityquire.com_1nloic
  127. eca733e057c3d83f2592487719739d126fbb3fdf98f9b032d1d5db16a5adafb1 http___unityquire.com_480cxgc
  128. d2f557eabbb7546e51b94001fd07dc77e139d44aa2ae4463605cce3da453fdab http___unityquire.com_6rz0s56
  129. 56b19eace69bb726dd6ee4ff984d30181a0ece3ccf6c3963a0eeba326921e40d http___unityquire.com_9s7ptf0b
  130. bdec2f3ba43f06492b3f92fc1f433935f12ff927ddaf55c6417398dce2a94186 http___welovekgc.com_djz2wr
  131. 099fdee0c093aa296bac5b1f40fe00f08984dd72e68c67d09d8eaf298457f34e http___bushidotactical.com_rm7tnimd [1]
  132. 557c8260cc2cc6db3a543084ca53465171061a94f7532e5f08c6602d218a6988 http___tpidbanjarmasin.org_yk1mo [2]
  133. - decoded
  134. ce65d81ee226855a3765e2c08bb7e7c214b10b4ee06cd180d7bda44f774e04a4 [1]
  135. eaf11a89c2ebcb217b22a85e98d7a4cc41b0db63a19a6c3f50bd2da37ea9e672 [2]
  136. eeed0454cae7ca13de8267037d6eb7cf2a6ee5e8c061d54c2fa51f5b97a8800b [3]
  137. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
  138. - samples:
  139. https://www.reverse.it/sample/9fc35f50cdcde099d432c4e80edaa0af053ae51a454ef2f705b76b4ce3a26fe9?environmentId=100
  140. https://www.reverse.it/sample/be64aea5979ef0de3db6fb00eb6ca862efcf2a87c9b033e7dac7bfab1f752c09?environmentId=100
  141. https://www.reverse.it/sample/777c9724db855b2908d6569663ff95aab9f9d45b98d528db20dfe8008e8ce0ce?environmentId=100
  142. https://www.reverse.it/sample/10d2662824ccb732bf15e548a67dfe17be6cb1df5daf8fd44a0f1b3de8e11ada?environmentId=100
  143. https://www.reverse.it/sample/fd8e4c9d74c162d26b50370bae1d39c8bc2b70034ed6c4317fe22c1d00f4af09?environmentId=100
  144. https://www.reverse.it/sample/5a7ce310ba4edebb31382d3d05230363867737ccd3bec5bebe27343a97689e61?environmentId=100
  145.  
  146. C2:
  147. POST 185.135.80.235:80/apache_handler.php
  148. POST 217.12.199.244:80/apache_handler.php
  149. POST 91.107.104.140:80/apache_handler.php
  150. POST akpmonvka.biz:80/apache_handler.php [185.43.4.143]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!