API tools faq
paste
Advertisement
Racco42

2016-09-27 Locky "Document No xxxxxxx"

Racco42
Sep 27th, 2016
1,744
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.89 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-28 #locky email phishing campaign "Document No xxxxxxx"
  2.  
  3. Email:
  4. ------------------------------------------------------------------------------------------------------
  5. From: "RONALD FERMARY" <accounts@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Document No 6189713862
  8. Date: Tue, 27 Sep 2016 17:40:39 -0500
  9.  
  10. Thanks for using electronic billing
  11. Please find your document attached
  12. Regards
  13.  
  14. RONALD FERMARY
  15.  
  16. Attachment: "Document No 6189713862.zip"
  17. ------------------------------------------------------------------------------------------------------
  18. - sender address is accounts@<recipient's domain>
  19. - subject is "Document No <random number>"
  20. - attached file "Document No <random number>.zip" (matching subject) contains file <random numbers>.hta, a JScript downloader
  21.  
  22. Download sites:
  23. http://all-rides.com/g76vub8
  24. http://anonos.com/g76vub8
  25. http://aseandates.com/g76vub8
  26. http://chanlytech.com/g76vub8
  27. http://clankcutup.com/g76vub8
  28. http://datalinks.ir/g76vub8
  29. http://discutivo.com/g76vub8
  30. http://dom-dekor.net/g76vub8
  31. http://esteknik.net/g76vub8
  32. http://gaa-sc.org/g76vub8
  33. http://goodkiddy.com/g76vub8
  34. http://handicraftmag.com/g76vub8
  35. http://hid2s.com/g76vub8
  36. http://kelownatownhomes.com/g76vub8
  37. http://lampaman.com/g76vub8
  38. http://llyrical.com/g76vub8
  39. http://nicacadie.com/g76vub8
  40. http://rdoent.com/g76vub8
  41. http://supergem.net/g76vub8
  42. http://taddboxers.com/g76vub8
  43. http://turkbyte.com/g76vub8
  44. http://velolenta.com/g76vub8
  45. http://vi-key.ru/g76vub8
  46. http://visiprima.com/g76vub8
  47. http://vmarzal.com/g76vub8
  48. http://www.resumebuddy.net/g76vub8
  49. http://xoomland.com/g76vub8
  50. http://zekocase.com/g76vub8
  51.  
  52. UPDATE:
  53. http://ailincey.com/g76vub8
  54. http://airop.net/g76vub8
  55. http://bbs.vlibang.com/g76vub8
  56. http://bilisimomega.com/g76vub8
  57. http://edunonline.com/g76vub8
  58. http://enricobasili.com/g76vub8
  59. http://fightingtommyriley.com/g76vub8
  60. http://hjggt.com/g76vub8
  61. http://kgng.net/g76vub8
  62. http://noisecontrols.com/g76vub8
  63. http://odinhome.com/g76vub8
  64. http://spmoya-semya.ru/g76vub8
  65. http://taiwotung.com/g76vub8
  66. http://upper-classmen.com/g76vub8
  67. http://us-htpc.com/g76vub8
  68. http://xiangyangweb.net/g76vub8
  69. http://zorgboerderijtzicht.nl/g76vub8
  70.  
  71. Malware:
  72. - encoded on download, SHA256 69b70c5e011f48d21aa6a421673f6c8c78616573e52b13103b8f2590ac939250, filesize 237568 bytes
  73. - decoded SHA256 05dbdc3e8989ee1aa3966e199d522ad913e402f495061ee8b4e64372fc9ff374
  74. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
  75. - samples
  76. https://www.reverse.it/sample/ab22a21fc7c0bf6ce38ece03361ad61ff14751cc45113bb0d91227bd88e88bcb?environmentId=100
  77. https://www.reverse.it/sample/82cc0d5b0f9af58d9fe50c73c21535d2f72f72a05e0faeed72b9c0289c970acb?environmentId=100
  78. https://www.reverse.it/sample/7bda553058d58328dff7315d840b65a183f6de335e755998d04a9dd545488d6a?environmentId=100
  79. https://www.reverse.it/sample/38468b54f8aaed3d41ebb80008214bfd3149363a9228dd5f198f7b6ad3db72cd?environmentId=100
  80.  
  81. C2:
  82. - no visible C2 communication
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!