Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-28 #locky email phishing campaign "Document No xxxxxxx"
- Email:
- ------------------------------------------------------------------------------------------------------
- From: "RONALD FERMARY" <accounts@[REDACTED]>
- To: [REDACTED]
- Subject: Document No 6189713862
- Date: Tue, 27 Sep 2016 17:40:39 -0500
- Thanks for using electronic billing
- Please find your document attached
- Regards
- RONALD FERMARY
- Attachment: "Document No 6189713862.zip"
- ------------------------------------------------------------------------------------------------------
- - sender address is accounts@<recipient's domain>
- - subject is "Document No <random number>"
- - attached file "Document No <random number>.zip" (matching subject) contains file <random numbers>.hta, a JScript downloader
- Download sites:
- http://all-rides.com/g76vub8
- http://anonos.com/g76vub8
- http://aseandates.com/g76vub8
- http://chanlytech.com/g76vub8
- http://clankcutup.com/g76vub8
- http://datalinks.ir/g76vub8
- http://discutivo.com/g76vub8
- http://dom-dekor.net/g76vub8
- http://esteknik.net/g76vub8
- http://gaa-sc.org/g76vub8
- http://goodkiddy.com/g76vub8
- http://handicraftmag.com/g76vub8
- http://hid2s.com/g76vub8
- http://kelownatownhomes.com/g76vub8
- http://lampaman.com/g76vub8
- http://llyrical.com/g76vub8
- http://nicacadie.com/g76vub8
- http://rdoent.com/g76vub8
- http://supergem.net/g76vub8
- http://taddboxers.com/g76vub8
- http://turkbyte.com/g76vub8
- http://velolenta.com/g76vub8
- http://vi-key.ru/g76vub8
- http://visiprima.com/g76vub8
- http://vmarzal.com/g76vub8
- http://www.resumebuddy.net/g76vub8
- http://xoomland.com/g76vub8
- http://zekocase.com/g76vub8
- UPDATE:
- http://ailincey.com/g76vub8
- http://airop.net/g76vub8
- http://bbs.vlibang.com/g76vub8
- http://bilisimomega.com/g76vub8
- http://edunonline.com/g76vub8
- http://enricobasili.com/g76vub8
- http://fightingtommyriley.com/g76vub8
- http://hjggt.com/g76vub8
- http://kgng.net/g76vub8
- http://noisecontrols.com/g76vub8
- http://odinhome.com/g76vub8
- http://spmoya-semya.ru/g76vub8
- http://taiwotung.com/g76vub8
- http://upper-classmen.com/g76vub8
- http://us-htpc.com/g76vub8
- http://xiangyangweb.net/g76vub8
- http://zorgboerderijtzicht.nl/g76vub8
- Malware:
- - encoded on download, SHA256 69b70c5e011f48d21aa6a421673f6c8c78616573e52b13103b8f2590ac939250, filesize 237568 bytes
- - decoded SHA256 05dbdc3e8989ee1aa3966e199d522ad913e402f495061ee8b4e64372fc9ff374
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples
- https://www.reverse.it/sample/ab22a21fc7c0bf6ce38ece03361ad61ff14751cc45113bb0d91227bd88e88bcb?environmentId=100
- https://www.reverse.it/sample/82cc0d5b0f9af58d9fe50c73c21535d2f72f72a05e0faeed72b9c0289c970acb?environmentId=100
- https://www.reverse.it/sample/7bda553058d58328dff7315d840b65a183f6de335e755998d04a9dd545488d6a?environmentId=100
- https://www.reverse.it/sample/38468b54f8aaed3d41ebb80008214bfd3149363a9228dd5f198f7b6ad3db72cd?environmentId=100
- C2:
- - no visible C2 communication
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement