API tools faq
paste
Racco42

2016-09-16 Locky "Re: request"

Racco42
Sep 16th, 2016
1,649
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.11 KB | None | 0 0
raw download clone embed print report
  1. 2019-09-16 #locky email phishing campaign "Re: request"
  2.  
  3. Email:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: "Cecil Romero" <Romero.2743@ttnet.com.tr>
  6. To: [REDACTED]
  7. Subject: Re: request
  8. Date: Fri, 16 Sep 2016 10:23:13 +0300
  9.  
  10. Dear [REDACTED], as you inquired, here is the invoice from September 2016.
  11.  
  12. Let me know whether it is the correct invoice number you needed or not.
  13.  
  14. Attachment: 0c0a498a931d.zip
  15. ------------------------------------------------------------------------------------------------------------------
  16. - sender address vary between emails
  17. - subject is "Re: request"
  18. - attachment <random hexa characters>.zip contain two files - one-letter name file filled with 0's (padding) and JScript downloader "september_2016_details_~<random hexa chars>~.js"
  19.  
  20. Download sites:
  21.  
  22. http://bulkreasy.com/7e5a7
  23. http://bulkreasy.com/8tl3rmh
  24. http://bulkreasy.com/905jscb
  25. http://bulkreasy.com/c3vaho
  26. http://bulkreasy.com/oqn8p
  27. http://maggycocoa.net/8i00a
  28. http://maggycocoa.net/i9uje
  29. http://maggycocoa.net/uml71ij
  30. http://maggycocoa.net/z8xl3w7q
  31. http://maggycocoa.net/zi6mrx
  32. http://yerndrunk.net/esab0
  33. http://yerndrunk.net/ez5jqc0n
  34. http://yerndrunk.net/nhddf4gt
  35. http://yerndrunk.net/t43anq3
  36. http://yerndrunk.net/yk5vx6i
  37.  
  38. Malware:
  39. - encoded on download, filesize varies
  40. be4a72bb587ab2ca419e509c693ec9b755015db312fc7874f4baf7a8cf39952f http___bulkreasy.com_7e5a7
  41. c500462e52c1f8c3de7d29959c11dac4e28d0933de76e7cb269bd205db7aedbd http___bulkreasy.com_8tl3rmh
  42. 6f4ac0cf15f96ce1076383e54e5f04d6c2ca4345d7825735a40bf7367e2c6bd5 http___bulkreasy.com_905jscb
  43. bb6420b73e957ca60d68ddb2a7b8728f3621059165dfbc79ff3fb906504fae1f http___bulkreasy.com_c3vaho
  44. dd818e3cb5d466aea1c7dbd64373ffe36d33005a007155c98468320076d424c8 http___bulkreasy.com_oqn8p
  45. cbb28e44569745a1b7a87f51b05d4f9981c80ea7e88946b9cdcafdb0cc24400f http___maggycocoa.net_8i00a
  46. c47938468017190b755b874d24edf034113b06b5aeb4c2a18e99695ca1b4612a http___maggycocoa.net_i9uje
  47. 3d815de7d310ce1a642f9652549bde24b68475f10fca7628a29bd95d6596efde http___maggycocoa.net_uml71ij
  48. 85910b2ca063d37eb0f4fe82ac49d2b94e99cf54f9a3e0235f0574ffc48c6962 http___maggycocoa.net_z8xl3w7q
  49. 5da6ef0be7f6dd8f69a9d8a4b442a99980dd8013dd522cc687ccf9d29f422499 http___maggycocoa.net_zi6mrx
  50. 68f636de736d36c13833b578e84437ec01835b51555ecd89b6a7f30487406112 http___yerndrunk.net_esab0
  51. 4a0ef8211a63000ed9f7561e1c8f07edcf25a411723ec6d687dcf37f62f3c303 http___yerndrunk.net_ez5jqc0n
  52. be07bfaf0c3db019c122cb9edb6dc3117a0ee26a8a41612079aac54a9ca881d8 http___yerndrunk.net_nhddf4gt
  53. 38614549cd139353e2ca251386239092ac69f0da2720f059eb83999edf7766b0 http___yerndrunk.net_t43anq3
  54. f8f980d54c6b41e4ad67fa4ee07acccd7b959e624b823b36acd8e501c7042c35 http___yerndrunk.net_yk5vx6i
  55. - decoded
  56. fa65436518400f29fc32e1a068624aec7c5e681de78b86f33a296438f37352bd http___yerndrunk.net_nhddf4gt
  57. 493eb59b1f4f4e163af4f558cfcbbcc1928c8948a0a3adb4658a94c1bfbfe848 http___bulkreasy.com_oqn8p
  58. 4b6fe8320de7a9118e23d6d694cf5d43ff3ecaf01ae3dde3ba044e3acc6163c8 http___bulkreasy.com_905jscb
  59. 0d8351216b3213819e0b4b823eebb19d040f32517e9b6b9d7cbae7f75b1c289f http___maggycocoa.net_i9uje
  60. - executed by "rundll32.exe %TEMP%\ESsUtxqY.dll,qwerty 323"
  61.  
  62. https://www.reverse.it/sample/69022aac84e502302f00409d36f169f57dde14357b5f413270e9c05da24fa7e1?environmentId=100
  63. https://www.reverse.it/sample/ec1b64eaea3d84e9118b356a795faf9f595f15cf1c99ab0387b513830bd4b069?environmentId=100
  64. https://www.reverse.it/sample/ec1b64eaea3d84e9118b356a795faf9f595f15cf1c99ab0387b513830bd4b069?environmentId=100
  65. https://www.reverse.it/sample/ec1b64eaea3d84e9118b356a795faf9f595f15cf1c99ab0387b513830bd4b069?environmentId=100
  66. https://www.reverse.it/sample/3c1a3faacc62ae06cfe6c18a506005ffbce5471e93dd5d0911de81f78ff0a30d?environmentId=100
  67. https://www.reverse.it/sample/d570e74ebe4c74a362faefe0e372fead1c5df258a51d8c0a626421b6e7b58829?environmentId=100
  68. https://www.reverse.it/sample/7ac5e3a525167f4edfb1e60b8a82fe7a80040e7f2cf51b6d229defbd6ceab5a9?environmentId=100
  69. https://www.reverse.it/sample/8651d10b7af4e4eedfc17e3f13ba7c90e54202906be86f770dec6350cbefd373?environmentId=100
  70.  
  71. C2:
  72. - no C2 communication
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!