API tools faq
paste
Advertisement
Racco42

2016-11-07 Locky "Health insurance"

Racco42
Nov 8th, 2016
1,729
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.73 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-07: #locky email phishing campaign "Health insurance"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: "Gail Michael" <Michael195@operations-tech.com>
  6. To: [REDACTED]
  7. Subject: Health Insurance
  8. Date: Mon, 07 Nov 2016 22:52:34 +0100
  9.  
  10. Dear [REDACTED], this is from the insurance company concerning with your health insurance.
  11. The new insurance contract is attached.
  12. Please look over it and let us know if you have questions.
  13.  
  14. Best Wishes,
  15. Gail Michael
  16.  
  17. Attachment: insurance_f57672432.zip
  18. -------------------------------------------------------------------------------------------------------------------
  19. - sender address varies between emails
  20. - subject is "Health insurance"
  21. - attached file "insurance_<random chars>.zip" contains file "NRV_<random char>.js", a JScript downloader
  22.  
  23. Download sites:
  24. http://50engineersroad.com/ovr9t4gh
  25. http://aloneadage.com/022mwu
  26. http://aloneadage.com/2jonq
  27. http://aloneadage.com/3z2390i
  28. http://aloneadage.com/5vxsiir
  29. http://breepes.com/2g7bwc2
  30. http://breepes.com/3ql7b0m
  31. http://breepes.com/5kjcg
  32. http://breepes.com/8d14skoi
  33. http://broonquipo.net/1to1o
  34. http://broonquipo.net/3f6wvc0
  35. http://broonquipo.net/59hxkliz
  36. http://broonquipo.net/802z6
  37. http://carindoauto.net/tmbqhc
  38. http://carrier-spb.ru/wafxdfc
  39. http://cetinakademi.com/jh018hr0
  40. http://choopchirk.net/0d5ak
  41. http://choopchirk.net/349u8
  42. http://choopchirk.net/4bkz3b
  43. http://choopchirk.net/7cxd7eq0
  44. http://coilgalvalumemurah.com/ka85ho0
  45. http://coilgalvalumemurah.com/qk1zs
  46. http://copperblues.ca/mxf79
  47. http://environment.ae/dycuhk
  48. http://eyzimo.ru/ejz2xd
  49. http://filomak.com/aa0249dz
  50. http://fitnesstips.dk/oltvv9
  51. http://fkhate.wz.cz/uq5dh1
  52. http://florindumitrescu.ro/aoqsww
  53. http://fordcmaxclub.nl/smt82
  54. http://fototour.pl/hv9wgx80
  55. http://fuatbilgin.com/p1zikf8a
  56. http://funeralcars.eu/i2suor
  57. http://gallato.com/59hxkliz
  58. http://gaoqing8.net/d7g17
  59. http://gardencreation.be/bc368
  60. http://gastradebg.com/q3caw
  61. http://gcw123.net/dsdgs
  62. http://gelecekdiyarbakirsigorta.com/bnm4y
  63. http://genelev.net/slzk0i9
  64. http://ghaemshahr.net/ykzt4wdy
  65. http://giadinh24.com/pzkvod1t
  66. http://giesn.nl/aw392
  67. http://gizlot.com/e5gdr
  68. http://gloriajeanscoffees.co.th/cheqoqwj
  69. http://gogeshop.com/m5mog1m1
  70. http://goltest10.com/wr73amy
  71. http://goodcatch.com/rvndfri
  72. http://greatbi.nl/zqap33
  73. http://grittivn.com/o8hnt
  74. http://gwyhome.net/cvs6j8dn
  75. http://harmat.pt/r1q2lu0c
  76. http://harpen.nl/twtsp
  77. http://hassyuu.com/rw96x1
  78. http://hdmedia.pl/802z6
  79. http://healthbynature.co.nz/owtf1
  80. http://heederik.eu/ro2jtu
  81. http://henanbusiness.net/xzwl8m2b
  82. http://hentai.tc/bmctehb
  83. http://hetmangniew.friko.pl/tijwn65r
  84. http://hg-bikes.de/eigvqz7
  85. http://highlakehill.be/omgfcbmn
  86. http://himichesko-varna.com/fzqrolxe
  87. http://hiro-eki.com/rfa5p
  88. http://hksv.jp/nc1qq
  89. http://hkyidianyuan.com/f14bs3
  90. http://hockeyboy.ru/aopodhpv
  91. http://hockeylavalest.com/tkaxy
  92. http://infodoza.biz/wiyqhtxn
  93. http://jcereza.com/ydpjch
  94. http://maxhotel.it/349u8
  95. http://model-meister.com/zvxvod5o
  96. http://pornovizion.com/kv79cx
  97. http://rokematin.com/0et8v
  98. http://rokematin.com/3ekauq6y
  99. http://rokematin.com/4ofajt
  100. http://rokematin.com/7ntqf4
  101. http://test.gotoweb.pro/v9dotj
  102. http://waag-azhar.com/ug4qr8h
  103. http://westprod.fr/y18b6d5k
  104.  
  105. Malware:
  106. - encoded on download
  107. 826d824586c7416ee80e9ff8f3b1a1e72c8c780fd23d434fba78809344a251ce http___50engineersroad.com_ovr9t4gh
  108. c0dc30df61cb68e5abffb1f1c58f6145ff6cfae17a415eef827874908a476fbc http___aloneadage.com_022mwu
  109. 91ac45f2fa465f50dc7ed49cec361f294f5ab467bdda136d093fa6813ff30888 http___aloneadage.com_2jonq
  110. 1b10d027198207e82b2f21dd5e7483d03194f577c8c05d7bf582e568c64a05fb http___aloneadage.com_3z2390i
  111. c973aba37d7f6e6c85b5a2691eaad1424f278f6864a83cca46ef6b6f85d98d3c http___aloneadage.com_5vxsiir
  112. 77dbf23fef93c82e1f2db694b12fa97d8d0c9d3c87348ee54a3c3f3d3efeb8d3 http___breepes.com_2g7bwc2
  113. bca6299cbe2df3d260c37a29b353aeb4c11394ce9c3abe61c8fdf8aaac1296dc http___breepes.com_3ql7b0m
  114. 36731cb1c938ccb6733e291d10038dd8e3e1d2a5a991bae3df6992b6f3ae2b28 http___breepes.com_5kjcg
  115. 29172bda6c793465dc8b897a70f98ab087ef098647d3da4e49925bfead58bd57 http___breepes.com_8d14skoi
  116. 86a4f93354ffead76531779c4d32273d621214602822408bfa9c966ba6ef8f9e http___broonquipo.net_1to1o
  117. 4b37f4dfa279fc9f13900557ff2d992161ecac58b0aea5f98d0b2a655bee7779 http___broonquipo.net_3f6wvc0
  118. ba9f6a11e04b0da6b9ceb4b4dc8681056880420c22764a6a3668502f19c2f04c http___broonquipo.net_59hxkliz
  119. 89ba584726d3903b259c705dca1e1b251e66b111c5c199dc8950173e00771fd7 http___broonquipo.net_802z6
  120. f1e640d3694c99c02c82a714f2e91c7f26dc629d1f9156b09bba190280b43762 http___carindoauto.net_tmbqhc
  121. 1215ec7def02c2ab9b840f5325184c51e72b02b512cae78c14dce1dcb1615b01 http___carrier-spb.ru_wafxdfc [2]
  122. 57c54e2f7a855c3a5b6c6575b6f782bdd5cd0d01a46661673e9e380effab0558 http___cetinakademi.com_jh018hr0
  123. ba7b5c3143b08e6c08a062d6e472a86fd728fe7dc7b28667953eb3aa9e92f3ef http___choopchirk.net_0d5ak
  124. dd852805f638c67e56ef6942d86a306407018733fbcc44ac5d82deeb06439c0d http___choopchirk.net_349u8
  125. ba86f8ede9e4bd182f1656bbe58fce1c0217a348fa1c23bf4ab82fd8c6fe7ffc http___choopchirk.net_4bkz3b
  126. b6aeac4ad5725a9908d95b497351f1fcc1df89e9a1dd458677370289f7e7d210 http___choopchirk.net_7cxd7eq0
  127. aedf7e53395d1e2a4a464ee797d14adcb3f1ab20003e161b5ce93dd343e5f720 http___coilgalvalumemurah.com_ka85ho0
  128. 72e0fe8e4cce2aabb11fd1a709b0ab9b1d74ab6b407f0b2e339d67239c762031 http___coilgalvalumemurah.com_qk1zs
  129. 00e02090c668cf211efd31cbcffe11e5c3929998ec0f21ba056673102990a0f1 http___copperblues.ca_mxf79
  130. 8ba2f03a1d8091029925f95ab0cc8af6198af9fad4308f630e20a61f95b8a410 http___environment.ae_dycuhk
  131. dbb57ecdd0c583c5ee1a4b6da0d5aad8d719e9641a8078da4000873f3e247f50 http___eyzimo.ru_ejz2xd
  132. f6b7dda7d3101a52c59efd54afb20372bc0c15c955239d7d23b994094c5f5b50 http___filomak.com_aa0249dz
  133. 341a4a0e31f98bfab001b5f1fc593f3286bcc2c41187eb2ba9f9302ca7772f55 http___fitnesstips.dk_oltvv9
  134. 6412939a45d30f82827334b96f49e1d0a578fd7ca90e446d14a62f7f7ab30bca http___fkhate.wz.cz_uq5dh1
  135. bd6e19ca9520f924efaec85ca06c1498e6cf3fabd491090172f845a1827d60c0 http___florindumitrescu.ro_aoqsww
  136. 32ae064e6224f4e0b31379bdc9adac672c6942e21c428c164602cfa48e45a0ed http___fordcmaxclub.nl_smt82
  137. 262626518925126b3d4ff62a4ad90f5c411789e7ec55a38f323596e953efa487 http___fototour.pl_hv9wgx80
  138. 46dc45eefcd826255cf9cd96785795e1e3fa0926778e4d99eca8dc3c42c54550 http___fuatbilgin.com_p1zikf8a
  139. cc41b46168abf83df2c573a15deb010b467740edd131bc1cc2b2868a7102b0b7 http___funeralcars.eu_i2suor
  140. ba9f6a11e04b0da6b9ceb4b4dc8681056880420c22764a6a3668502f19c2f04c http___gallato.com_59hxkliz
  141. e307336bd932b953b931e39d795f1904e9f6ad2b8c0e06b063941ea620255af6 http___gaoqing8.net_d7g17
  142. c14867b8e6e515131f4797543e595ec8b6abb5da2de2693be7610ec6e496b715 http___gardencreation.be_bc368
  143. 9645014215adf8dfdf2a5e6589b11bacf4172e513daacc27c729614c774a3e77 http___gastradebg.com_q3caw
  144. 6a25eb5df3215c241fb88bdb227ef7e635082cb25d39bfd8a75162e977c493b7 http___gcw123.net_dsdgs
  145. 298b82c562086b733f7a5eab23c57131467d89fefb102b704b8d850e5672ba27 http___gelecekdiyarbakirsigorta.com_bnm4y
  146. ad6c8c6a823a9e2b3350cd788db3b275f3ac78d056093ea7fcc8187122622d91 http___genelev.net_slzk0i9
  147. c818d3c2b5f3a17ed7b41a669956c8c83baff12f9bd1585e5b463f047289f700 http___ghaemshahr.net_ykzt4wdy
  148. 4403ba5462b9e8b80d2f9adbec21b586ede9736cbe50be18947b0bbe78c2483e http___giadinh24.com_pzkvod1t
  149. e6805d6be075c6b357c0ddbdd5cbf1b8e6545fb67a4b4dbdccdc0398950df7a3 http___giesn.nl_aw392
  150. d7752c7b886f1b7d6efa7ecb5f7b15b40d377cf97149d69c8f8d43b54b9c0198 http___gizlot.com_e5gdr [1]
  151. 06bcf14f510a32686dd31baf7233cb7ea5d2c0b755f8546b5a62d365318afe0c http___gloriajeanscoffees.co.th_cheqoqwj
  152. ca5f700feedd050c2058c8d50b2839ec28e24b47c22bbbee885475346038e55a http___gogeshop.com_m5mog1m1
  153. 3aa5078011c331749a5a2b4ceff942a1e212e59fc2f77a544736cb316bc4e997 http___goltest10.com_wr73amy
  154. 538f9d0b4d23d838d46b745adbdd622a875f2e3ddf4fa76c56a4d3ab9744cf1e http___goodcatch.com_rvndfri
  155. 82c74bb7cbd81f4a27d392603cab755d7971afa099b81bab8094d1ef70246913 http___greatbi.nl_zqap33
  156. 30aa1b7032dbbdb56ac527cf6a8c9091216d4f227696e5042d6fb2d3e3e1924b http___grittivn.com_o8hnt
  157. bf5e0bb8b0fa72148fd08f869e2a2ff25bf3ab54b72d46258287901aa76da626 http___harmat.pt_r1q2lu0c
  158. 4b1035092f001654f7703e9c76ecc38431e0b402d7caf8ce3f49c39a45087d68 http___harpen.nl_twtsp
  159. c8e405edd6c12dd7b5ce77a6d70c8a3b5dbe104e3d9939136ab050bbfd7c3bfa http___hassyuu.com_rw96x1
  160. 89ba584726d3903b259c705dca1e1b251e66b111c5c199dc8950173e00771fd7 http___hdmedia.pl_802z6
  161. 310c16a134ccf8b01584643c9fd619a5a4936155403504fc83a6e1d548c69e75 http___healthbynature.co.nz_owtf1
  162. 1258fc4a8325212fbcfcccd68bfecb5e73361c4bb445e39ecc241c9878252640 http___heederik.eu_ro2jtu
  163. bc0d98b9413d64bc393c9d6bce7a64fdddae2328bc8a7e945367b745179dd993 http___henanbusiness.net_xzwl8m2b
  164. 723261187e88cc37b5c65416e892b1e034666ea8cf0dc4ea96c8848683ee4ac1 http___hentai.tc_bmctehb
  165. ab0a7fc336240a3749b8c346cceef4757f4cc45b53aa6f1f33d3f3d78226f6e1 http___hetmangniew.friko.pl_tijwn65r
  166. 88f1a9ac536517a6ec30e8bd03fd602a8753d5ff701e706099636025e002b4d1 http___hg-bikes.de_eigvqz7
  167. d6b0889e72d2b4ce3fece396b229ca619146b2efe9df8257cdab0a927a2269b9 http___highlakehill.be_omgfcbmn
  168. 7d6afdd16be010dc5937ee608454801e2385339c6729f88f0287e2e53a0fe6b4 http___himichesko-varna.com_fzqrolxe
  169. 4184a11e70e44064ed6a043b6852a3113125abab23902c28130314b5e0153da0 http___hiro-eki.com_rfa5p
  170. f20bb9780e67a4e70d176070484fdc17a305dfe911b32de2b089ae13cafd6fbb http___hksv.jp_nc1qq
  171. e654f877f3f544d8df79f52c27134c59778c0d6bb3deac4a30714791058a72e7 http___hkyidianyuan.com_f14bs3
  172. c4bc6385bfa719efb5a490cbaa3700985dcbd227a2d93e589101919eb1a4f268 http___hockeyboy.ru_aopodhpv
  173. 957e34f9d471d9838601cef112d167c435eb7dfada6f13892e21609b39709aad http___hockeylavalest.com_tkaxy
  174. d234a1e037e595d6b0bf1b780195611f74409b7e1a8c288f11c90bde0a763545 http___infodoza.biz_wiyqhtxn
  175. 72d8ac092daaac35725ac94b57f5307aa3a370e6ec44e8a912aec246ab7b391c http___jcereza.com_ydpjch
  176. dd852805f638c67e56ef6942d86a306407018733fbcc44ac5d82deeb06439c0d http___maxhotel.it_349u8
  177. 770133d54966151dd7202ab11a88e136b2932d27827781f2aa74496f9c4a2345 http___model-meister.com_zvxvod5o
  178. abc22427774779030f7d12b648f35868c4a427e4c16acf66da4cadc52d44f4a5 http___pornovizion.com_kv79cx
  179. 5211c3dec01d0692867162d6adef1a42205aa65fe2af1927c1b85d34b3928a77 http___rokematin.com_0et8v
  180. f3984627eaced5e246bfddf737eed0fbb0eb561669987d44521f7947cd627f27 http___rokematin.com_3ekauq6y
  181. 97dc745d23012122dd2fe24a0ed01a8d32f99ac624749d241b9207b0110ea5c2 http___rokematin.com_4ofajt
  182. d7c2c3f59d88b1c35958b4f4afd9ccf658f0366a29e43ad496c906813efd1f1b http___rokematin.com_7ntqf4
  183. ad776ad31836404cf80c3d651682a340ebf7a56da822dd73dea8b88b988a4578 http___test.gotoweb.pro_v9dotj
  184. 241c9351c7a33773f9e076c611c600890ee4b6fabc8b3eb620e388251c617199 http___waag-azhar.com_ug4qr8h
  185. 67c5b585877586b7334e44dfb6626993e73e42b1acbadc48db378de01f855719 http___westprod.fr_y18b6d5k
  186.  
  187. - decoded
  188. SHS256 1215ec7def02c2ab9b840f5325184c51e72b02b512cae78c14dce1dcb1615b01, MD5 8c49f01bc6c10c99de89815b43cac087 [2]
  189. SHA256 d7752c7b886f1b7d6efa7ecb5f7b15b40d377cf97149d69c8f8d43b54b9c0198, MD5 1d827a9701c1f7d251bf4492728c33ad [1]
  190. - executed by "rundll32.exe %TEMP%\<dll_name>,woody"
  191. - samples
  192. https://www.reverse.it/sample/75b8eedf7bfe5b8f7b405276505b77b544778c6cf2d342a1cf6ef2c73c4a9ef9?environmentId=100
  193. https://www.reverse.it/sample/0a92fbb47a5f2ed11d40a5d973bf7306003131dd27ed9e44cf3769e7f979de4c?environmentId=100
  194. https://www.reverse.it/sample/d4a4e7e2c424b44835e6fdfd905c6458de4e1ecb4283681c611b19c41897377e?environmentId=100
  195. https://malwr.com/analysis/ZWZhNzViNjZlOTM0NGZhM2FkNDVhYjBjN2Q0MDBjOGM/
  196.  
  197. C2:
  198. POST 185.102.136.127:80/message.php
  199. POST 195.123.211.229:80/message.php
  200. POST 188.65.211.181:80/message.php
  201.  
  202. bnmqkgdlotrwqym.work
  203. dmynnrrvse.org
  204. gccaoqb.xyz
  205. jcbbccd.pl
  206. ksrcvmvfbc.org
  207. mwyryuxoyhxlk.work
  208. ornrkiokjkkqymw.org
  209. rqrxrivxjt.pl
  210. ummprtrxunm.xyz
  211. wmstntaae.su
  212. wmcrfvhf.org
  213. xdriwlpllshhngyc.xyz
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!