Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2019-09-16 #locky email phishing campaign "Re: request"
- Email:
- ------------------------------------------------------------------------------------------------------------------
- From: "Cecil Romero" <Romero.2743@ttnet.com.tr>
- To: [REDACTED]
- Subject: Re: request
- Date: Fri, 16 Sep 2016 10:23:13 +0300
- Dear [REDACTED], as you inquired, here is the invoice from September 2016.
- Let me know whether it is the correct invoice number you needed or not.
- Attachment: 0c0a498a931d.zip
- ------------------------------------------------------------------------------------------------------------------
- - sender address vary between emails
- - subject is "Re: request"
- - attachment <random hexa characters>.zip contain two files - one-letter name file filled with 0's (padding) and JScript downloader "september_2016_details_~<random hexa chars>~.js"
- Download sites:
- http://bulkreasy.com/7e5a7
- http://bulkreasy.com/8tl3rmh
- http://bulkreasy.com/905jscb
- http://bulkreasy.com/c3vaho
- http://bulkreasy.com/oqn8p
- http://maggycocoa.net/8i00a
- http://maggycocoa.net/i9uje
- http://maggycocoa.net/uml71ij
- http://maggycocoa.net/z8xl3w7q
- http://maggycocoa.net/zi6mrx
- http://yerndrunk.net/esab0
- http://yerndrunk.net/ez5jqc0n
- http://yerndrunk.net/nhddf4gt
- http://yerndrunk.net/t43anq3
- http://yerndrunk.net/yk5vx6i
- Malware:
- - encoded on download, filesize varies
- be4a72bb587ab2ca419e509c693ec9b755015db312fc7874f4baf7a8cf39952f http___bulkreasy.com_7e5a7
- c500462e52c1f8c3de7d29959c11dac4e28d0933de76e7cb269bd205db7aedbd http___bulkreasy.com_8tl3rmh
- 6f4ac0cf15f96ce1076383e54e5f04d6c2ca4345d7825735a40bf7367e2c6bd5 http___bulkreasy.com_905jscb
- bb6420b73e957ca60d68ddb2a7b8728f3621059165dfbc79ff3fb906504fae1f http___bulkreasy.com_c3vaho
- dd818e3cb5d466aea1c7dbd64373ffe36d33005a007155c98468320076d424c8 http___bulkreasy.com_oqn8p
- cbb28e44569745a1b7a87f51b05d4f9981c80ea7e88946b9cdcafdb0cc24400f http___maggycocoa.net_8i00a
- c47938468017190b755b874d24edf034113b06b5aeb4c2a18e99695ca1b4612a http___maggycocoa.net_i9uje
- 3d815de7d310ce1a642f9652549bde24b68475f10fca7628a29bd95d6596efde http___maggycocoa.net_uml71ij
- 85910b2ca063d37eb0f4fe82ac49d2b94e99cf54f9a3e0235f0574ffc48c6962 http___maggycocoa.net_z8xl3w7q
- 5da6ef0be7f6dd8f69a9d8a4b442a99980dd8013dd522cc687ccf9d29f422499 http___maggycocoa.net_zi6mrx
- 68f636de736d36c13833b578e84437ec01835b51555ecd89b6a7f30487406112 http___yerndrunk.net_esab0
- 4a0ef8211a63000ed9f7561e1c8f07edcf25a411723ec6d687dcf37f62f3c303 http___yerndrunk.net_ez5jqc0n
- be07bfaf0c3db019c122cb9edb6dc3117a0ee26a8a41612079aac54a9ca881d8 http___yerndrunk.net_nhddf4gt
- 38614549cd139353e2ca251386239092ac69f0da2720f059eb83999edf7766b0 http___yerndrunk.net_t43anq3
- f8f980d54c6b41e4ad67fa4ee07acccd7b959e624b823b36acd8e501c7042c35 http___yerndrunk.net_yk5vx6i
- - decoded
- fa65436518400f29fc32e1a068624aec7c5e681de78b86f33a296438f37352bd http___yerndrunk.net_nhddf4gt
- 493eb59b1f4f4e163af4f558cfcbbcc1928c8948a0a3adb4658a94c1bfbfe848 http___bulkreasy.com_oqn8p
- 4b6fe8320de7a9118e23d6d694cf5d43ff3ecaf01ae3dde3ba044e3acc6163c8 http___bulkreasy.com_905jscb
- 0d8351216b3213819e0b4b823eebb19d040f32517e9b6b9d7cbae7f75b1c289f http___maggycocoa.net_i9uje
- - executed by "rundll32.exe %TEMP%\ESsUtxqY.dll,qwerty 323"
- https://www.reverse.it/sample/69022aac84e502302f00409d36f169f57dde14357b5f413270e9c05da24fa7e1?environmentId=100
- https://www.reverse.it/sample/ec1b64eaea3d84e9118b356a795faf9f595f15cf1c99ab0387b513830bd4b069?environmentId=100
- https://www.reverse.it/sample/ec1b64eaea3d84e9118b356a795faf9f595f15cf1c99ab0387b513830bd4b069?environmentId=100
- https://www.reverse.it/sample/ec1b64eaea3d84e9118b356a795faf9f595f15cf1c99ab0387b513830bd4b069?environmentId=100
- https://www.reverse.it/sample/3c1a3faacc62ae06cfe6c18a506005ffbce5471e93dd5d0911de81f78ff0a30d?environmentId=100
- https://www.reverse.it/sample/d570e74ebe4c74a362faefe0e372fead1c5df258a51d8c0a626421b6e7b58829?environmentId=100
- https://www.reverse.it/sample/7ac5e3a525167f4edfb1e60b8a82fe7a80040e7f2cf51b6d229defbd6ceab5a9?environmentId=100
- https://www.reverse.it/sample/8651d10b7af4e4eedfc17e3f13ba7c90e54202906be86f770dec6350cbefd373?environmentId=100
- C2:
- - no C2 communication
Add Comment
Please, Sign In to add comment