API tools faq
paste
Racco42

Locky "copies"

Racco42
Sep 5th, 2016
1,589
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.60 KB | None | 0 0
raw download clone embed print report
  1. #2016-09-05 #locky email phishing campaign "copies"
  2.  
  3. Email sample (sender varies):
  4. -------------------------------------------------------------------------------------------
  5. From: "Garfield Larsen"
  6. To: [REDACTED]
  7. Subject: copies
  8.  
  9. Hi ec20ceef, Lana told me you have lost some of the last few months' utility bills.
  10. So, I am sending to you the copies saved in my computer. Let me know if I sent the right receipts.
  11.  
  12.  
  13. Best Regards,
  14. Garfield Larsen
  15. -------------------------------------------------------------------------------------------
  16. Attached file <random_hexachars>.zip contains "utility_bills_copies <8_random_hexachars>.js" a JScript downloader
  17.  
  18. Download sites:
  19. http://bookinghotworld.ws/18p0no4e
  20. http://canonsupervideo4k.ws/1bcpr7xx
  21. http://canonsupervideo4k.ws/54m7lt3
  22. http://darkestzone2.wang/1i0i75gq
  23. http://darkestzone2.wang/7b5hft
  24. http://listofbuyersus.co.in/2kpzu
  25. http://listofbuyersus.co.in/jos0k
  26. http://tradesmartcoin.xyz/3o8pon
  27. http://tradesmartcoin.xyz/ncgpse
  28. http://videoconvertermac.in/4g9h2sv
  29. http://videoconvertermac.in/ofyvi52b
  30.  
  31. Malware encoded on donwload, filesizes 161796 and 162308 bytes
  32. 51abf331af1f4a6eb6d02cafee4f5f3cfb27256234cffa06a6c772e53757b6bc http___bookinghotworld.ws_18p0no4e
  33. 497461f4fefc4faab3ffb8e10f7371b45f2351d87cc28a626efda3adf5d88602 http___canonsupervideo4k.ws_1bcpr7xx
  34. 5072cfddb4df47f5c2a19799098752b6da982ed4bab42eb082878a04c84e1c70 http___canonsupervideo4k.ws_54m7lt3
  35. fd72c798c438d882cae11a61ab1eb087ca5d413ca666bfa585f7ba6aa76ae38c http___darkestzone2.wang_1i0i75gq
  36. 85ba61645e953e6124182e0716ea29824cd292fc6b060f728eefae662a6bc65a http___darkestzone2.wang_7b5hft
  37. df60ea23ff8af15221b063e53fa907a221b8836f03fe30a32b3103bf96083dcd http___tradesmartcoin.xyz_3o8pon
  38. 0cf5064b105dec0425bbf74a9825f83c17497f04ae27ce5a398fee52450377f2 http___tradesmartcoin.xyz_ncgpse
  39.  
  40. https://www.reverse.it/sample/645d9767468248c291747dbf4f62bccf33a33f61e71298190b93177e780579e6?environmentId=100
  41. https://www.reverse.it/sample/81d65fc0505daacc9669c569297593e5dfeb5e937e95570225864a7037a0160e?environmentId=100
  42. https://www.reverse.it/sample/c1d7d0fef20909ca5b312058cd39963e08da2a7a85f87a377f38571cee07a2e4?environmentId=100
  43. https://www.reverse.it/sample/3fe75bd7f7f5737ec287284c97c5a91ef8420f99cc763bfb328e3512ad97aa06?environmentId=100
  44. https://www.reverse.it/sample/5543c09ffc47514709752f4dbee05e7d4b27155290007eb33c5c9a9db46e8a9f?environmentId=100
  45.  
  46. C2:
  47. 158.255.6.109:80/data/info.php
  48. 185.154.15.150:80/data/info.php
  49. 185.162.8.101:80/data/info.php
  50. 91.211.119.71:80/data/info.php
  51. tqvaxumrdbhshcfrd.pw/data/info.php [95.211.174.92]
  52. uxfpwxxoyxt.pw/data/info.php [188.120.232.55]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!