API tools faq
paste
Advertisement
Racco42

2016-11-03 Locky "Urgent payment request"

Racco42
Nov 3rd, 2016
2,329
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.08 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-03: #locky email phishing camapaing "!! Urgent payment request"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------
  5. From: terri.stanley@faroldovale.com
  6. To: [REDACTED]
  7. Subject: !! Urgent payment request
  8. Date: Thu, 03 Nov 2016 18:06:03 +0800
  9.  
  10. TERRI STANLEY
  11.  
  12. Telefon: +49 5055 / 51-8502
  13. Fax: +49 5055 / 5166-8502
  14. E-Mail: terri.stanley@faroldovale.com
  15.  
  16. Attachment: "2620800243-8943568474-201611180603-0680.zip"
  17. ----------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Urgent payment request" prefixed with 1-3 "!" and space
  20. - attached file "<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.zip" contain file "<10 digits>-<10 digits>-201611<6 digits>-<4 digits>.js", A JScript downloader
  21.  
  22. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download):
  23. http://020zz.com/jhb6576
  24. http://0551gx.cn/jhb6576
  25. http://1kupon.com/jhb6576
  26. http://3-50-90.ru/jhb6576
  27. http://abclala.com/jhb6576
  28. http://adj3.pt/jhb6576
  29. http://aertsbonarius.nl/jhb6576
  30. http://africantickets.de/jhb6576
  31. http://aizheni.cn/jhb6576
  32. http://ajmontanaro.com/jhb6576
  33. http://ajooma.nl/jhb6576
  34. http://akram37.com/jhb6576
  35. http://albakrawe-uae.com/jhb6576
  36. http://alpermetalsanayi.com/jhb6576
  37. http://aquatica.at/jhb6576
  38. http://arbeiten.pl/jhb6576
  39. http://archmod.com/jhb6576
  40. http://asaproducoes.com/jhb6576
  41. http://autoparts-outlet.nl/jhb6576
  42. http://avenueresto.com/jhb6576
  43. http://badaprogres.es/jhb6576
  44. http://baseballtivy.com/jhb6576
  45. http://bbq-tech.com/jhb6576
  46. http://belaket.nl/jhb6576
  47. http://belusadba.ru/jhb6576
  48. http://berrysbarber.com/jhb6576
  49. http://bestoptic.eu/jhb6576
  50. http://bg-n.nl/jhb6576
  51. http://bipmwebs.com/jhb6576
  52. http://bradandmel.com/jhb6576
  53. http://britneyspears.website.pl/jhb6576
  54. http://caballerobustamante.com.pe/jhb6576
  55. http://cafedelrey.es/jhb6576
  56. http://carbonfiber.ro/jhb6576
  57. http://caribbeancopiers.com/jhb6576
  58. http://centinel.ca/jhb6576
  59. http://chinasymbolic.com/jhb6576
  60. http://christophflueck.ch/jhb6576
  61. http://cisie.pl/jhb6576
  62. http://ck.co.th/jhb6576
  63. http://clickjv.com/jhb6576
  64. http://clubchasseetpechedesamis.com/jhb6576
  65. http://comercialtrujillo.es/jhb6576
  66. http://competc.ca/jhb6576
  67. http://continents.com.hk/jhb6576
  68. http://cor-huizer.nl/jhb6576
  69. http://cosywall.pl/jhb6576
  70. http://crecrec.com/jhb6576
  71. http://cwv.cc/jhb6576
  72. http://dentastyle.ro/jhb6576
  73. http://dessde.com/jhb6576
  74. http://dietafine.cz/jhb6576
  75. http://dilovasicicek.com/jhb6576
  76. http://distributorsite.com/jhb6576
  77. http://dornovametoda.sk/jhb6576
  78. http://dosq.es/jhb6576
  79. http://drkitchen.ca/jhb6576
  80. http://dutchcotton.nl/jhb6576
  81. http://dwunion.com/jhb6576
  82. http://dx-team.org/jhb6576
  83. http://edcentre.nl/jhb6576
  84. http://edumarvm.com.ar/jhb6576
  85. http://electron-trade.ru/jhb6576
  86. http://elektronstore.it/jhb6576
  87. http://essenceofbeauty.ca/jhb6576
  88. http://evirtualteam.com/jhb6576
  89. http://e-ws.net/jhb6576
  90. http://faiz-e-mushtaq.com/jhb6576
  91. http://familieheigl.de/jhb6576
  92. http://farko.eu/jhb6576
  93. http://schuhdowdy.net/jhb6576
  94. http://teriisawa.com/jhb6576
  95.  
  96. UPDATED:
  97. http://avnbook.com/jhb6576
  98. http://ccilfov.ro/jhb6576
  99.  
  100. Malware
  101. - encoded on download SHA256 2d3bdad21984a3fb3a38d7b0ae6194d698333e6254a423ea724921ef7367ccb6, MD5 0dde5161009954ee77c9f12e693bc91c
  102. - decoded SHA256 0e6bd3de7ac49ff4438a592892e0bb8da9596be4ed8328459c239c6f3b4dec86, MD5 21a782f9b1089fe169279d5a56aa6719
  103. - executed by "rundll32.exe <dll_name>,text"
  104.  
  105. C2:
  106. POST http://109.234.34.227/message.php
  107. POST http://194.28.87.26/message.php
  108. POST http://93.170.123.119/message.php
  109. POST http://avqraxyq.pl/message.php
  110. POST http://disvfthejnadoufh.biz/message.php
  111. POST http://dspdepmduhduk.work/message.php
  112. POST http://fnsacxejerahf.info/message.php
  113. POST http://heihlcvfcexxxqvr.click/message.php
  114. POST http://lbflexv.click/message.php
  115. POST http://mbmeeayr.su/message.php
  116. POST http://qvepebtlksgxel.su/message.php
  117. POST http://thfafqhxyiwf.pl/message.php
  118. POST http://umfhhrwfws.ru/message.php
  119. POST http://xecemaekvltyv.xyz/message.php
  120. POST http://ydcdxki.work/message.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!