Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-05 #locky email phishing camapign "Credit card receipt"
- http://blog.dynamoo.com/2016/09/malware-spam-we-are-sending-you-credit.htm
- Email:
- --------------------------------------------------------------------------------------------------
- From: "Josef Owen" <Owen.8584@HYPERMEDIA-INNOVATION.COM>
- To: [REDACTED]
- Subject: Credit card receipt
- Date: Mon, 05 Sep 2016 11:56:09 +0430
- Dear [REDACTED],
- We are sending you the credit card receipt from yesterday. Please match the card number and amount.
- Sincerely yours,
- Josef Owen
- Account manager
- Attachment: 2ac16365e6.zip
- --------------------------------------------------------------------------------------------------
- - sender differs between emails
- - subject is "Credit card receipt"
- - attached file "<random hexa characters>.zip" contains "credit_card_receipt_<8 random hexa chars>.js" a JScript downloader
- Download sites:
- http://canonsupervideo4k.ws/1bcpr7xx
- http://darkestzone2.wang/1i0i75gq
- http://listofbuyersus.co.in/2kpzu
- http://tradesmartcoin.xyz/3o8pon
- http://videoconvertermac.in/4g9h2sv
- Malware:
- - encoded on download, SHA256 497461f4fefc4faab3ffb8e10f7371b45f2351d87cc28a626efda3adf5d88602, filesize 162308
- - decoded SHA256 3068bc8e4253635a9caa1556441c0f3615d147add63fb2e709a0ae7f17b7c2f6
- - executed via "rundll32.exe %TEMP%\zL2IXB5N.dll,qwerty 323"
- https://www.reverse.it/sample/81053b69ab23eed9cfe3942cde3e9a8b514e01b62152409595f7929508066634?environmentId=100
- https://www.reverse.it/sample/4e045407c723d91a5dd8ecbbf6d94efdd99b50fad9b6ff0e7ffb33c888e8f071?environmentId=100
- https://www.reverse.it/sample/7d6acf7c3175b8c12da0ce3ab6f649fb6318f777bdf5e3c52b6d933811ed138b?environmentId=100
- https://www.reverse.it/sample/c671d5f15bc1ea62c42ff815a871f4da5a26275ac10d202722f2dab2a79fc760?environmentId=100
- https://www.reverse.it/sample/97df98463fedd3b76c1567bea330a9420e4745f1e0153cbf3aab39ae47de00bf?environmentId=100
- C2:
- 185.162.8.101:80/data/info.php
- 158.255.6.109:80/data/info.php
- 91.211.119.71:80/data/info.php
- 185.154.15.150:80/data/info.php
- uxfpwxxoyxt.pw:80/data/info.php [188.120.232.55]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement