Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-10-18: #locky email phishing campaign "Message from xxxxxxxxxx"
- Email sample:
- ----------------------------------------------------------------------------------------------------------------------------
- From: "Voice Message Server" <server@9455091376.[REDACTED]>
- To: [REDACTED]
- Subject: Message from 02083355385
- Date: Wed, 18 Oct 2017 14:07:31 -0400
- 18/10/2017, 14:07:31 PM
- 61,{rndnum(1,1)}}-second message deposited by 02083355385
- Attachment: Voice Message(02083355385.7z -> F641319669.vbs
- ----------------------------------------------------------------------------------------------------------------------------
- - sender address is forged to come from "Voice Message Server", from same domain as recipient - server@<10 digits>.<domain>
- - subject is "Message from <10 digits
- - body contain unexploded expression "{rndnum(1,1)}}"
- - attached file "Voice Message(<11 digits>.7z" contains file "F<9-10 digits>.vbs" a VBScript downloader which will download from:
- Download sites:
- http://jeangurunlian.com/3g76fh
- http://peopleiknow.org/3g76fh
- http://petrochemus.com/3g76fh
- http://rateventrithathen.infov/p66/3g76fh
- http://stemcellenhancementresearch.com/3g76fh
- Malware:
- - locky ransomware, offline .asasin variant
- - SHA256: 3fd66cbb34e75cf5a0cf2b12d34de68ff51794ae033208c42ac0eaa7f68cf6e3, MD5: c0a4db485d6759fdaab0175157909e23
- - VT: https://www.virustotal.com/file/3fd66cbb34e75cf5a0cf2b12d34de68ff51794ae033208c42ac0eaa7f68cf6e3/analysis/1508346407/
- - HA: https://www.hybrid-analysis.com/sample/3fd66cbb34e75cf5a0cf2b12d34de68ff51794ae033208c42ac0eaa7f68cf6e3?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement