Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-09-05: #locky email phishing campaign "Invoice INV-000xxx from Verizon"
- Email sample:
- -------------------------------------------------------------------------------------------------------------------------
- From: Randall Wigert <messaging-service86@merak-knorr.com.ar>
- To: [REDACTED]
- Subject: Invoice INV-00061 from Verizon
- Date: Tue, 05 Sep 2017 14:14:25 +0700
- Dear customer,
- Here's invoice INV-00061 for USD 909.73.
- The amount outstanding of USD 909.73 is due on 4 Sept 2017.
- View your bill online: http://artdevinci.com/Invoice_INV-00090.7z
- From your online bill you can print a PDF, export a CSV, or create a free login and view your outstanding bills.
- If you have any questions, please let us know.
- Thanks,
- Randall Wigert
- Verizon Privacy Office
- 1300 I Street, NW
- Suite 400 West
- Washington, DC 20005
- Fax: 202-789-1432
- Attachment: Invoice INV-00061.7z -> INV-000193.vbs
- -------------------------------------------------------------------------------------------------------------------------
- - sender is "messaging-service<digits>@<random domain>"
- - body is "Invoice INV-000<2-3 digirs> from Verizon"
- - body contain link that will download VBS downloader, same kind as the attached one
- - attached file "INV-000<2-3 digits>.7z" contains file "INV-000<2-3 digits>.vbs", a VBScript downloader which will download malware from one of the malware download sites:
- Downloader download sites:
- http://adoption.tcs.org.sg/Invoice_INV-00090.7z
- http://artdevinci.com/Invoice_INV-00090.7z
- http://atlantik-ec.com/Invoice_INV-00090.7z
- http://bravomobiliario.com/Invoice_INV-00090.7z
- http://ciriledefrance.com/Invoice_INV-00090.7z
- http://daniellloyd.com/Invoice_INV-00090.7z
- http://dekritekunstenfotografie.nl/Invoice_INV-00090.7z
- http://dna-sequencing.org/Invoice_INV-00090.7z
- http://dynamicnoumea.com/Invoice_INV-00090.7z
- http://grande-flora.nl/Invoice_INV-00090.7z
- http://hepdesign.net/Invoice_INV-00090.7z
- http://muebleslacomoda.com/Invoice_INV-00090.7z
- http://viselaconstruccion.com/Invoice_INV-00090.7z
- Malware download sites:
- http://agrourbis.com/876tYU6tg8e
- http://auto-ecolecoccinelle.com/876tYU6tg8e
- http://bjp.co.id/876tYU6tg8e
- http://callt.co.uk/876tYU6tg8e
- http://capedorato.com/876tYU6tg8e
- http://domani.grol.ru/876tYU6tg8e
- http://ferienwohnung-schitter.at/876tYU6tg8e
- http://finnigans.org.uk/876tYU6tg8e
- http://gclubrace.info/p66/876tYU6tg8e
- http://huismartens.be/876tYU6tg8e
- http://mistresspenny.co.uk/876tYU6tg8e
- http://msanchez.com.au/876tYU6tg8e
- http://naturofind.org/p66/876tYU6tg8e
- http://pamplonarecados.com/876tYU6tg8e
- http://pidara.nl/876tYU6tg8e
- http://rccartrailers.com/876tYU6tg8e
- http://software-unlimited.at/876tYU6tg8e
- http://technicolor-tes.org/876tYU6tg8e
- Malware:
- - encoded on download, SHA256: 6acedd095ace83945ce0d5ab646c97087bf89db79a89e75258ae813a9ddeefb0, MD5: e75a801f7fd6d1fd4521e1ac87e6657b
- - decode by XORing with "bDWZT7cLuVBDjnhVGuShv9lzZHmD1laq"
- - decoded SHA256 b65048ade795961403fecee8a779a838fe6ebcd4f9c83d7fe6b7d24b877493e3, MD5: 13df2fb3b8625ec6691784b64d4337ab
- - VT: https://www.virustotal.com/file/b65048ade795961403fecee8a779a838fe6ebcd4f9c83d7fe6b7d24b877493e3/analysis/1504597240/
- - HA: https://www.reverse.it/sample/b65048ade795961403fecee8a779a838fe6ebcd4f9c83d7fe6b7d24b877493e3?environmentId=100
- - C2: POST 109.234.35.75/imageload.cgi
- - Extension: .lukitus
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement