API tools faq
paste
Advertisement
Racco42

2016-09-05 Locky "Credit card receipt"

Racco42
Sep 13th, 2016
2,023
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.06 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-05 #locky email phishing camapign "Credit card receipt"
  2. http://blog.dynamoo.com/2016/09/malware-spam-we-are-sending-you-credit.htm
  3.  
  4. Email:
  5. --------------------------------------------------------------------------------------------------
  6. From: "Josef Owen" <Owen.8584@HYPERMEDIA-INNOVATION.COM>
  7. To: [REDACTED]
  8. Subject: Credit card receipt
  9. Date: Mon, 05 Sep 2016 11:56:09 +0430
  10.  
  11. Dear [REDACTED],
  12.  
  13. We are sending you the credit card receipt from yesterday. Please match the card number and amount.
  14.  
  15. Sincerely yours,
  16. Josef Owen
  17. Account manager
  18.  
  19. Attachment: 2ac16365e6.zip
  20. --------------------------------------------------------------------------------------------------
  21. - sender differs between emails
  22. - subject is "Credit card receipt"
  23. - attached file "<random hexa characters>.zip" contains "credit_card_receipt_<8 random hexa chars>.js" a JScript downloader
  24.  
  25. Download sites:
  26. http://canonsupervideo4k.ws/1bcpr7xx
  27. http://darkestzone2.wang/1i0i75gq
  28. http://listofbuyersus.co.in/2kpzu
  29. http://tradesmartcoin.xyz/3o8pon
  30. http://videoconvertermac.in/4g9h2sv
  31.  
  32. Malware:
  33. - encoded on download, SHA256 497461f4fefc4faab3ffb8e10f7371b45f2351d87cc28a626efda3adf5d88602, filesize 162308
  34. - decoded SHA256 3068bc8e4253635a9caa1556441c0f3615d147add63fb2e709a0ae7f17b7c2f6
  35. - executed via "rundll32.exe %TEMP%\zL2IXB5N.dll,qwerty 323"
  36.  
  37. https://www.reverse.it/sample/81053b69ab23eed9cfe3942cde3e9a8b514e01b62152409595f7929508066634?environmentId=100
  38. https://www.reverse.it/sample/4e045407c723d91a5dd8ecbbf6d94efdd99b50fad9b6ff0e7ffb33c888e8f071?environmentId=100
  39. https://www.reverse.it/sample/7d6acf7c3175b8c12da0ce3ab6f649fb6318f777bdf5e3c52b6d933811ed138b?environmentId=100
  40. https://www.reverse.it/sample/c671d5f15bc1ea62c42ff815a871f4da5a26275ac10d202722f2dab2a79fc760?environmentId=100
  41. https://www.reverse.it/sample/97df98463fedd3b76c1567bea330a9420e4745f1e0153cbf3aab39ae47de00bf?environmentId=100
  42.  
  43. C2:
  44. 185.162.8.101:80/data/info.php
  45. 158.255.6.109:80/data/info.php
  46. 91.211.119.71:80/data/info.php
  47. 185.154.15.150:80/data/info.php
  48. uxfpwxxoyxt.pw:80/data/info.php [188.120.232.55]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!