Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-14: #locky email phishing campaign "Parcel Certificate"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------------
- From: "Robin Bailey" <Bailey.Robin@pazgarde.com>
- To: [REDACTED]
- Subject: Parcel Certificate
- Date: Wed, 14 Dec 2016 16:47:54 +0700
- Dear [REDACTED],
- Please check the parcel certificate I am sending you in the attachment.
- Order number is 477-F. Quite urgent, so please review it.
- -
- Best Regards,
- Robin Bailey
- Attachment: par_cert_7727260.zip -> ~_KO8VYC_~.wsf
- ---------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Parcel Certificate"
- - attached file "par_cert_<7 digits>.zip" contains file "~_<5-7 upper chars and digits>_~.wsf"
- Download sites:
- http://176.58.124.197/fi6ifw1w5
- http://adiosalvello.com/azro2yu
- http://aeroptim.com/9lhtqtw
- http://akkugarancia.hu/ojj5c
- http://alexandergorban.com/gstwnmcgqn
- http://andrey.goldfine.ru/wk5tfu9fpg
- http://aria-asp.ir/k7cwvi
- http://ayvalik.info.tr/udohemi
- http://bursacicekmagazasi.com/v2r3438pj8
- http://camschlampen.notgeile-amateure.com/c2knp
- http://decouer.com/ohpj3
- http://demo.fishtime.com.ua/g1q2n46a
- http://demo.ghwchina.com/thoxca
- http://design-travel.ru/iyftenb
- http://dg.gamebuffet.mobi/ah697dt
- http://dtburakakin.com/4zhdeehto
- http://dux.baidu.com/toihm6
- http://eflengu.ru/slqfqov
- http://environment.ae/ui0gi1qq
- http://eor.ir/h41qx
- http://giftoflife.nl/ofc5vmee
- http://gizlot.com/0ixbu7fhl
- http://gm-werbekonzepte.de/fm9qp
- http://johndada.se/pzn0d9w
- http://kurochka-ryaba.ru/5icp9tfsco
- http://lanehmontgomery.com/2k1ripjpbx
- http://leonsi.eu/dwzef
- http://m.cuisines-aviva.com/q3hopc9w
- http://mijnknwu.knwu.nl/kdgu1aiyu
- http://mintthaicafe.com/swctibivl8
- http://mytourbid.com/0mle9jq
- http://new.craescuela.net/4fntbqb
- http://oldenburgertransport.com/fi89qa
- http://pizzatr.net/9nzb5q7v
- http://pwdhash.com/d5sif
- http://reefclub.ru/cag2zv
- http://rkf3460.dk/xotxbf
- http://sahara-prof.ru/4tdaknluxp
- http://shop.cxweixin.cn/jt6e9avj
- http://sstaswim.com/3sczy9y5
- http://swanseabaptistchurch.org/6p0kire
- http://test.easynet.net.au/imdxb
- http://test.verox.dk/yacm5u
- http://test.yanying100.com/ekigtkxpk
- http://thelostpearls.com/plkrs
- http://tocotrucking.com/9frj4
- http://upperclassmeninc.com/67qo91yrv
- http://urachart.com/0maqspu
- http://whutszk.com/zlhv6nrcpx
- http://www.2290express.com/qbcx9elv7h
- http://www.konfidence.pl/gm1bui
- http://www.olgiatalife.it/aulhdovqsi
- http://www.socialmediaplanner.com.au/helyi4a
- http://xlraider.com/f8pqp2
- http://yoga.tanialove.com/lhfyng5r05
- http://ypgg.kr/ajro6z
- http://ziskant.com/kqnioulnfj
- UPDATE:
- http://avtomoika23.ru/qff3kkl
- http://nordvelay.fr/s5sjsn3
- http://www.ckmp.ru/sijxxshn
- Malware:
- - encoded on download
- 69588ef7e63f6ade5055227c64f2a8471d795d7da4a68e9a922b700db7f2feeb http___176.58.124.197_fi6ifw1w5
- f8d5f68c97abf5b63b4c86ecd6e33fb16c69a8036770de684a2a05636fb96121 http___aeroptim.com_9lhtqtw
- a24c2a0374484435d077b86dc8856efb7dbfb78ffa6e54ca4b6f06eadb5caf1f http___akkugarancia.hu_ojj5c [2]
- ccb1e1e807500252a7f2350fa4d7a8b36c739bd57599a5b1079e123fdd51830f http___alexandergorban.com_gstwnmcgqn
- 912e0aaec346598c92914a01fbc77a4c7e7cd43dab0b87f4c95017d17c18049b http___andrey.goldfine.ru_wk5tfu9fpg
- bb50ca69165eb0a05720ca20c49bc42d47b6a156b88dfd58f6ac62aa615562a4 http___aria-asp.ir_k7cwvi
- 6b15b333f418d6ff415dba460270fa445a437836d09a7dfe9f7763ee5e17f2c3 http___ayvalik.info.tr_udohemi
- 6d030ac5ec6f2228e2e16d64538dd454736ab6d3aa09078f9dd46e90b3cd92f8 http___bursacicekmagazasi.com_v2r3438pj8
- caa2ba13da1433864af16572ae4c58daecc0c9a8f737fea3aef12759562d730c http___camschlampen.notgeile-amateure.com_c2knp
- be17b8d7c3ca445bba9e3993ebf3860c0f939abc4e235e337606176613263dad http___decouer.com_ohpj3
- 2a4561c470df2613b59811791b2f3f5411260c0f16087113cc6fca1d95d334c1 http___demo.fishtime.com.ua_g1q2n46a
- 1cb3cea0176f2b712f3ffb86bea7be898be209461a1f8a8c1b1adecb3a830280 http___demo.ghwchina.com_thoxca
- f783f3eb887ca8a856e61770ec392a941971e8cbe05df48299a5104303f8ed68 http___design-travel.ru_iyftenb
- 7885b9c65a22fef440e958cb6a3e50965bfbba06440c28507607c6240a9f37a9 http___dg.gamebuffet.mobi_ah697dt
- c3014cd7fa162788c9a39c173435279bb70b2d91592e0021c5af5f73dc3a625b http___dtburakakin.com_4zhdeehto
- de04e4001f853fe9fb6253e6e336ac852519655bc03a5ae7a416cef9bc666f96 http___dux.baidu.com_toihm6
- a992006724e90ed2f520ab799bbbcf0364312cfdf9e9f40072c51c4f2c04d607 http___eflengu.ru_slqfqov
- 0f1b5898033621b62c8dd7f56725f524b0b2cb5444ca3d7055709594e11c0585 http___environment.ae_ui0gi1qq
- 7418b2e46eafea389395da6d612c712da08e41fd382f231239a509bf98ec9ac0 http___eor.ir_h41qx
- a35084c774ece9eb936f7efdd1632e4e24240e97c05258f913dad31aeda5450c http___giftoflife.nl_ofc5vmee
- e2d99f5b538f1abdebb7ebcaa609ec5aeec35ff4e81a3196cc63c1da0143ff9a http___gizlot.com_0ixbu7fhl [1]
- e56043d99a6a7b0563a02535e5bc440f32b8fcec8812478b66cf33cd00fb0502 http___gm-werbekonzepte.de_fm9qp
- f2c06cb35e06a80ee1fa24e83fb1302ba8901d58f67b8ba54662b53f4683c9a0 http___johndada.se_pzn0d9w
- 3649c07638a5065b2adf4f027f31ddf2827fa691c433f5b3a03c4c96713ae290 http___kurochka-ryaba.ru_5icp9tfsco [6]
- 6c764946a0f49acb149349ceec3c12256883b106736d037b41b74a7183de83a5 http___lanehmontgomery.com_2k1ripjpbx
- 82e9d5522bcccf178e073a2b9c64ded9a6ec500132ca8e94e572721737c72e06 http___leonsi.eu_dwzef
- d7186d61ca90df31e158e1f001d6c09669938c87b8d975f863ae51cfb718e71c http___m.cuisines-aviva.com_q3hopc9w
- 0a4e9a7e5804e1d552f57a6055c8c54ef36862c8f2659cfeec5d4fffacdf002d http___mijnknwu.knwu.nl_kdgu1aiyu
- 91314e58e95af5546ae039f4a39624eea3d05cac6b72cd99b1a4551a2088e58e http___mintthaicafe.com_swctibivl8
- 37477699b69cefe04b204ba9c62b7d34760ed22c3697db1231a79485621cf21c http___mytourbid.com_0mle9jq
- 17ce34019e70ba106e7c3d0d52ae96ed3cfeed5d1983ceb2db78645b735c03df http___new.craescuela.net_4fntbqb
- c874b775074af75825bba873a9926d93f51ac2bb12de4eab2f83b037603f293f http___oldenburgertransport.com_fi89qa
- cb2ca74b6bff54686f32dcf5cf4a3a892b161a30b20f6ee21141a0c3155f1290 http___pizzatr.net_9nzb5q7v
- bf775b71704dc424c1ed33d2a0f5fa23491664bf14f7975add72cee1432ec2b0 http___pwdhash.com_d5sif [4]
- 324a8674138072570bfea4fabf31b21739c343f1e0fabf4f6e335503b6dd9875 http___reefclub.ru_cag2zv [3]
- 5c762e768ac27a512731e4cf4c6378eeebd6e816ca2010e5d49fa8d455bde719 http___rkf3460.dk_xotxbf
- ad63d0aed8d0ef73b1b24906c9abad626b47515a3314670c4c5cc9d1a39fbc7c http___sahara-prof.ru_4tdaknluxp
- aebdef453ea2d542e9c0371978ee7de1b942427bd507370e3687d42045a314dc http___shop.cxweixin.cn_jt6e9avj
- 56c1ce04689c64438552a4016473f725da908dba2fb8078ed078e8088ef6ae97 http___sstaswim.com_3sczy9y5
- 6ce780944c5ef26d05eea223da552013013f8fc80c693be3d9e319855b0cd854 http___swanseabaptistchurch.org_6p0kire
- 3f7e91413596dd86262021153d677fb0b8e91d0ef7c1491b2df5f27241414741 http___test.easynet.net.au_imdxb
- 3272f3523399d322457c432d7957e4618fef5c44d58767ab6a43b247caab5e0a http___test.verox.dk_yacm5u
- aa83af96bd2e3ef350ff1cb3b039d63249a3b40d4714447a0696690b47f33498 http___thelostpearls.com_plkrs
- 8c4dba7430a90830c83378610101008b2f5e4e3f1c833477d41c7d3934414b79 http___tocotrucking.com_9frj4
- 90b1f4fc38be1bddce90161824746af217f9997a52634f12fa4ef3d51c9c2102 http___upperclassmeninc.com_67qo91yrv
- 39db6ea56857440c5ba11fdd283638232bbc4df963f811d2190b642691e862eb http___urachart.com_0maqspu
- fc374d0ed61c0c87113fde95560b084fa61e33996c4f061e84fcd6b892a61c98 http___whutszk.com_zlhv6nrcpx
- 4eccbf21c69582de51a0363330c6af73cca3b775ef9d245c00ca1d5e4d06746d http___www.konfidence.pl_gm1bui
- a19df04d169c54334d9cd83fb4105d7e8a889e8d512f67aa8917b84f5c2b8098 http___www.olgiatalife.it_aulhdovqsi
- 91e245f790f47bb47bb0fecd6f9f19069c86db9bcd23401b7c1e17e1f738669f http___www.socialmediaplanner.com.au_helyi4a
- f42702c1d820ec1dbd0f875f50f88c3f0fc827c1513c76375318c86786f11daa http___xlraider.com_f8pqp2
- d21300bf92d6501de94250ce4682b92606617b2e675bbdbd1b5fe1904a08a655 http___yoga.tanialove.com_lhfyng5r05
- 82a1bb0a979c72bf4e4fe2b016e1d64af1dbff38acebeea736b923f9f593c957 http___ypgg.kr_ajro6z [5]
- 9c495c41a66705c756cdf25988fbd1f7c76fd2d991e4f89e002d9f93318584d9 http___ziskant.com_kqnioulnfj
- - decoded
- d4a2a4fc982d52e295e03aab010bd9c6e64e16f8c16548d82f40d9d4198e1802 [1]
- bb194d74778ad151b59f8652926de9b537b125053bfb14e642b9b89d489465b5 [2]
- 528cc81c9ef9fe1e2d67750b51ebf4a01338e70345e6606251adea5d0c69b85e [3]
- 71d1fe74d25e97c53d10031316515f9a2156a48a1caa0db208062d93b01fae91 [4]
- 844ffc80cbc22bcbf8fa9eb0edf361067fd00024695b594af5b3c40eef06791e [5]
- da58654d9adabcde4aa63f95cbd7e3b0104abf051dd77e5599938683031fa904 [6]
- - executed by "rundll32.exe %TEMP%\<filename>.ZK,Ajp3yeeaD7P2stvWfcPLhIWeWaBWU"
- - samples
- https://www.virustotal.com/file/d4a2a4fc982d52e295e03aab010bd9c6e64e16f8c16548d82f40d9d4198e1802/analysis/1481711422/ [1]
- https://www.virustotal.com/file/bb194d74778ad151b59f8652926de9b537b125053bfb14e642b9b89d489465b5/analysis/1481711429/ [2]
- https://www.virustotal.com/file/528cc81c9ef9fe1e2d67750b51ebf4a01338e70345e6606251adea5d0c69b85e/analysis/1481711435/ [3]
- https://www.virustotal.com/file/71d1fe74d25e97c53d10031316515f9a2156a48a1caa0db208062d93b01fae91/analysis/1481711441/ [4]
- https://www.virustotal.com/file/844ffc80cbc22bcbf8fa9eb0edf361067fd00024695b594af5b3c40eef06791e/analysis/1481711448/ [5]
- https://www.virustotal.com/file/da58654d9adabcde4aa63f95cbd7e3b0104abf051dd77e5599938683031fa904/analysis/1481711454/ [6]
- C2:
- POST http://185.129.148.56/checkupdate
- POST http://213.32.113.203/checkupdate
- POST http://86.110.117.155/checkupdate
Add Comment
Please, Sign In to add comment