API tools faq
paste
Racco42

Locky "bank transactions"

Racco42
Aug 31st, 2016
1,658
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.78 KB | None | 0 0
raw download clone embed print report
  1. 2018-08-31 #locky email phishing campaign "bank transactions"
  2.  
  3. Email sample (sender address varies between emails):
  4. -----------------------------------------------------------------------------------------------
  5. From: "Sandy Moran"
  6. To: [REDACTED]
  7. Subject: bank transactions
  8.  
  9. Good morning [REDACTED].
  10.  
  11. Attached is the bank transactions made from the company during last month.
  12. Please file these transactions into financial record.
  13.  
  14.  
  15.  
  16. Yours truly,
  17. Sandy Moran
  18.  
  19. -----------------------------------------------------------------------------------------------
  20. Attachment "[random characters].zip" contains file "[8 random hexa chars]_bank_transactions.js", a JScript downloader.
  21.  
  22. Download sites:
  23. http://01ad681.netsolhost.com/ym0zloe
  24. http://210.240.104.2/6gycr4x
  25. http://212.26.129.68/bxdwi0
  26. http://79.96.153.93/jtsgreua
  27. http://80.241.232.207/tpryd9
  28. http://abufarha.net/m3i2h
  29. http://akeseverin.com/mfr67
  30. http://akristall.ru/db54k8c
  31. http://alci.dommel.be/tzydtpf
  32. http://amandinearmand.perso.sfr.fr/vdq5lp
  33. http://bookinghotworld.ws/0761l
  34. http://cybersocialization.ru/c1uxu7w9
  35. http://dev12.gammat.net/32vp6m
  36. http://enigmes4saisons.perso.sfr.fr/dilveh
  37. http://foodbiz-net.com/82zppv
  38. http://gebetech.at/88bq4
  39. http://impregui.com/v0k8v
  40. http://izeinstruments.com/gq2edb
  41. http://kallait.szm.com/vipzq8
  42. http://malwinstall.wang/0un6xtal
  43. http://mambarambaro.ws/1m202
  44. http://my.st21.ru/ecm04dx
  45. http://newt150.tripod.com/rtc6a
  46. http://pkgame.cba.pl/e4qp8zz
  47. http://realm-of-rage.heimat.eu/buxprxv
  48. http://robbeottoy.dommel.be/pb435ks
  49. http://smc.psuti.ru/rvnfdn26
  50. http://steelfs.com.mx/i0ex6
  51. http://timetobuymlw.in/26swqrkm
  52. http://two-capitals.com/f6a2xhp
  53. http://twup.com.br/qaxr2wq
  54. http://virmalw.name/2lnbr
  55. http://www.ecotek-canada.us/mq73x3r
  56. http://www.europegreen.org/va99dis
  57. http://www.ferresur.es/r0sig09
  58. http://www.fulvio77.it/50glk
  59. http://www.galleriacolonna.org/euhyxd5
  60. http://www.instalacionesjosearteaga.com/s7yy5
  61. http://www.jenohorvath.be/xac2y8
  62. http://www.jramirez.com/c3erjl
  63. http://www.liviazottola.it/jdg3v7
  64. http://www.mbeccarini.com/8k8bpxvf
  65. http://www.mediawareonline.it/ediuv66v
  66. http://www.meta.metro.ru/uumr65
  67. http://www.nadelaur.com/9rbsf
  68. http://www.opal.webserwer.pl/hpeqoqgg
  69. http://www.orad.it/ax2zc0
  70. http://www.osservatoriofigurale.it/go7sjh
  71. http://www.robtozier.com/nfltbyrp
  72. http://www.sashraf.plus.com/0761l
  73. http://www.smoes.net/vrjhlrj7
  74. http://www.totalfitness.it/9fsvcc
  75. http://www.vincenzofranchino.it/26swqrkm
  76. http://www.visionaero.com/oa25q70
  77. http://www.vissershuisje-bredene.be/fisg4
  78.  
  79. Malware encoded during download, filesize 141828 bytes:
  80. 56a2fd4aacaf2b77a9087700b043e156c3e16fc72845931b6a14c5eb40f5e226 http___01ad681.netsolhost.com_ym0zloe
  81. a11deb86cea80e79c8b84c3c20ab5713232d91d6634a1727a0502399f6e33bf7 http___210.240.104.2_6gycr4x
  82. 0b8161d1f9156093864973b2eb8cda9e8f518fff26a45f95ac8e6d99992a4086 http___212.26.129.68_bxdwi0
  83. 60bd36c2306a8f47ddaed7e49869ec8d2b50622f53bfbd66aa9f3f4c16c5c609 http___79.96.153.93_jtsgreua
  84. dd32ce9ebb774c5a9e0fff89c4b7387d823c0e169482e0c834aeecdde4a22755 http___abufarha.net_m3i2h
  85. 1e342f5a0c4b5e360d2cd519eae5ade4f325c36ecca3ea5a1f6cd611b126c465 http___akristall.ru_db54k8c
  86. 2883d90f5e2633139692675a0fc9bbe8a344f43663d396c5ec1d14f39bdd865d http___amandinearmand.perso.sfr.fr_vdq5lp
  87. a95329db64b2c29ef4f99b61b54250035a639e4958b42411dc38c1d69f7a12f9 http___cybersocialization.ru_c1uxu7w9
  88. 062e8ac3e85e1085f264fd51a7a7da5c9a9b0f16c8c8738d04f81608afa694cb http___dev12.gammat.net_32vp6m
  89. 87a9c7cb41ef1fa56c238e3c8929ccb096e9c4f4b60393d8e8d621527429e67b http___enigmes4saisons.perso.sfr.fr_dilveh
  90. 4f2fd3d4a61d5d4df7ea1bde7439a0b1624cd7281a59fa826fbb1cefe371c1cb http___foodbiz-net.com_82zppv
  91. 41b906cc2ea569fd2a3897a139ecae2e2ff5c0157b720d41426170762c798f00 http___gebetech.at_88bq4
  92. 0fc14d03bd6d37ef49be0afe473797c575ef9e29b5382a4c98165c83340c1a29 http___impregui.com_v0k8v
  93. 60c322034f04d24e5758ef305d7930931fe238a3e39d73dff860ccfdf1b58783 http___kallait.szm.com_vipzq8
  94. 09ffb0091b157e19baa5b2b09fce6448b2cb7511a60fe6407a0974d1fd805bfc http___my.st21.ru_ecm04dx
  95. cf0929318fb532b2be0436bf20f6a020ae287fbb2cbdd0d00f7482a9a08306a3 http___newt150.tripod.com_rtc6a
  96. 150af26ac3ac16ad4125ad50379b5ff3276c239e150bd08d0a57f39387565c8e http___pkgame.cba.pl_e4qp8zz
  97. 0c6edf594ad97ead0d9a306da1cf1820ba845f0ac341d8472d2f6c76bd25101b http___realm-of-rage.heimat.eu_buxprxv
  98. f083ce88311735ab623bef9f957a5e4cc442f50aa35b7a97ff6cd5a49e6bbafd http___robbeottoy.dommel.be_pb435ks
  99. 68282082bb49bd74060e87f09d52080803a89a1ec7c2ea8b75b417a48d32752b http___smc.psuti.ru_rvnfdn26
  100. ef45921b5bba6ca47da8e9c03f829da68b16f37646ef149d57af9406a20209f9 http___steelfs.com.mx_i0ex6
  101. e8be7e42163849ed6ae9b99a0a56b10a02b1ecd0fa1fdb501e8839d2889ba277 http___two-capitals.com_f6a2xhp
  102. 5ec111770e46c6ad5db56a8636ec3f6396d03bc9dbf074651bfd5dd356314d3a http___twup.com.br_qaxr2wq
  103. e9b80a91cfe4e011e40cf3f2990b373eed322bae256088670ab03840faaa235e http___www.ecotek-canada.us_mq73x3r
  104. 07508af161bbfe40bc256883e7726f8ca62c0e409e553118b1a9a594a2629651 http___www.europegreen.org_va99dis
  105. 96a8651760ec9169bf1867dc382f700df6c13a46388c900c471907bf4d00dea6 http___www.ferresur.es_r0sig09
  106. 3806ad574dc742c96b7fb1bb53a895c73fecee4e630eca2ca23599484644484a http___www.fulvio77.it_50glk
  107. 3b9e23b2d08c4db11ab816bda968057a586d551b34b3306bc58991de543a91b1 http___www.galleriacolonna.org_euhyxd5
  108. 6e5281fbbdcaf9fe7d6c2571c8206450024aae0b7eea366350b96f36a1f5ade4 http___www.instalacionesjosearteaga.com_s7yy5
  109. 5c104790398a40e091ee57900827dc265dd6e179cd154eda6032df8470f8ae0e http___www.jenohorvath.be_xac2y8
  110. 71def880c8c79a70e7e8ef4ce5e9edf0a8c99b8796e747bf96f756ee2baea40a http___www.jramirez.com_c3erjl
  111. 30f8d2f0c67996104bf0aa0de40cb94cb714c2dce8036ad9d634ec3958ee42ee http___www.liviazottola.it_jdg3v7
  112. 7f3666eb4f88927b31cbb6efe50ac117ebc4392299a200dd009f2b0f001934cb http___www.mbeccarini.com_8k8bpxvf
  113. a1f5e086436b60aeb82d403090409cf17116f24510620c4dfd0d80a1aab3fb07 http___www.mediawareonline.it_ediuv66v
  114. 74b0c36435edbc6c1629e436bcdb605f32e254fabccf6324e5d4cf6b8056aaa1 http___www.meta.metro.ru_uumr65
  115. 20f45badacf56ce98d4a7118e844a45287c105e12a5fb582ecca13bf6442650c http___www.nadelaur.com_9rbsf
  116. e4fdc5ddc8a3e97d390eb48f37abce9f40544d632edc01aec9973adf65a20666 http___www.opal.webserwer.pl_hpeqoqgg
  117. 93750763e4a390307e8b736222f0cfc949888ae827311beebc7a259b5eff3b07 http___www.orad.it_ax2zc0
  118. 4379b603e5ee115bf4f3b370b3f2aa9548d8c0ea816ab3d332119252c221e32f http___www.osservatoriofigurale.it_go7sjh
  119. 1ddf99c971c5864b597bc3412677df98cf8175ff14fbab7ff269284764f530d8 http___www.robtozier.com_nfltbyrp
  120. 7a92cf15acf8b4dd9d9f99cd053bd1140d7c2accf615d830a80eee488a18f9a1 http___www.sashraf.plus.com_0761l
  121. df1078184ff0e14dcc5c928f78c9fe012e0934dd9e0072ea69b765058506890f http___www.smoes.net_vrjhlrj7
  122. bd99b7907ea27f40228a0f2a2b4dcd46907257f227723de81a8be9d4dd5a3951 http___www.totalfitness.it_9fsvcc
  123. fce944fac50dec3b1ba2811b59131890142f55d485ec3a9237b1c9226b5fc4a7 http___www.vincenzofranchino.it_26swqrkm
  124. 4f21cb5fa1dcbb80e0193c8c0ba4062788a1840e41407a6c8fdf8af1176603e5 http___www.visionaero.com_oa25q70
  125. 107dcfcad0f3ce521a63caa89712d510f00565bf7cc150ee5a85d838ed4aa57f http___www.vissershuisje-bredene.be_fisg4
  126.  
  127. https://www.reverse.it/sample/ed9ebf23b63c5b1a0b17c35bfe6355b260263a95065fbd6322e2d2265a8c581e?environmentId=100
  128. https://www.reverse.it/sample/c6b8fce21c540641e5f643f0092b98558b62d19a77b98c072b5c40d7f8b96635?environmentId=100
  129. https://www.reverse.it/sample/e3bd29b875861c99cb2e2f803644b860716d701d45656fe5922998342aba6473?environmentId=100
  130. https://www.reverse.it/sample/515c0992cdef921e5a6b0e95351d3eb73d7958cbee8b88f4ff6b202609eee74e?environmentId=100
  131. https://www.reverse.it/sample/0d4cb45b06fa8ceeff0e2c86717c2768012b17a3a9d3ec90f382a6b65704a8cb?environmentId=100
  132.  
  133. C2:
  134. 138.201.191.196:80/data/info.php
  135. 188.127.249.32:80/data/info.php
  136. 95.85.19.195:80/data/info.php
  137. (cufrmjsomasgdciq.pw) 91.223.180.66:80/data/info.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!