SHOW:
|
|
- or go back to the newest paste.
| 1 | *Email sample* | |
| 2 | ||
| 3 | - | _Subject_: Payment |
| 3 | + | _Subject_: Final version of the report |
| 4 | ||
| 5 | _Body_: | |
| 6 | ||
| 7 | Dear [NAME], | |
| 8 | ||
| 9 | - | Our records show that we have not yet received payment for the previous order #A-532173 |
| 9 | + | Lance Davis asked me to send you the attached Word document, which contains the final version of the report. |
| 10 | - | Could you please send payment as soon as possible? |
| 10 | + | Please let me know if you have any trouble with the file, and please let Lance know if you have any questions about the contents of the report. |
| 11 | ||
| 12 | - | Please find attached file for details. |
| 12 | + | |
| 13 | Kind regards | |
| 14 | ||
| 15 | - | Yours sincerely |
| 15 | + | Faith Leonard |
| 16 | - | Jeremy Jackson |
| 16 | + | Chief Executive Officer |
| 17 | - | Operations Director (CEO Designate) |
| 17 | + | |
| 18 | ||
| 19 | In attachment a zip archive with a javascript file. | |
| 20 | ||
| 21 | Javascript sample - MD5: c4b65cb100b08a3e3b366ccf7c161dc9 | |
| 22 | - | Javascript sample - MD5: b217ece3ecf33fd6fc624af5d25f0840 |
| 22 | + | VT: 1/55 - https://www.virustotal.com/en/file/3fe9169a286bcedc3c7ba1da0160dded07af0540211ed32c6144cc4435f4a42e/analysis/ |
| 23 | - | VT: 1/56 - https://www.virustotal.com/en/file/a7e93e059bf53885110dddb52b5029e4e5c0b35f98ab3981a26b80a47118905d/analysis/ |
| 23 | + | |
| 24 | *Compromised domains (49)*: | |
| 25 | - | *Compromised domains (47)*: |
| 25 | + | |
| 26 | 3141592.ru/ wyesvj | |
| 27 | - | 98.131.20.17/ o41d3 |
| 27 | + | 4k18.com/ u69f97 |
| 28 | - | bbmarilu.it/ f7x1378 |
| 28 | + | aberfoyledental.ca/ 6dil05 |
| 29 | - | bbvogliadimare.it/ h573kdg |
| 29 | + | abligl.com/ 8v62l4i4 |
| 30 | - | bolanoid.ru/ vjqraq |
| 30 | + | adbm.co.uk/ 1o2wejz |
| 31 | - | btgnj.com/ a6308b |
| 31 | + | angeelle.nichost.ru/ y6s1y9h |
| 32 | - | caseificiodesantis.it/ bmvl5xz |
| 32 | + | arogyaforhealth.com/ jujg6ru |
| 33 | - | centrosportivoiunco.it/ c42en |
| 33 | + | atlantaelectronics.co.id/ quv7rcc1 |
| 34 | - | cm-seia.pt/ 0q6d4ej |
| 34 | + | babycotsonline.com/ ph42q6ue |
| 35 | barum.de/ c2blg | |
| 36 | - | control-seduction.private.pl/ eu5c1q |
| 36 | + | beautifulhosting.com.au/ rxn80 |
| 37 | - | darts-pr.ru/ 6m5hl |
| 37 | + | bilgoray.com/ vi5sfu |
| 38 | - | deangelis.co.uk/ 9189x |
| 38 | + | bobbysinghwpg.com/ pdqcqlnr |
| 39 | - | dice-design.com/ 9cotr5w |
| 39 | + | boranwebshop.nl/ ggc7ld |
| 40 | - | dugganinternational.ca/ jlv43q0 |
| 40 | + | bptec.ir/ kvk9leho |
| 41 | - | edilperle.it/ b354kx0o |
| 41 | + | cameramartusa.info/ xrfpm |
| 42 | - | fastmoneyloan.info/ 0h1vsa63 |
| 42 | + | capitalwomanmagazine.ca/ 6k1oig |
| 43 | - | fitnesclub.ru/ oc7xhbuc |
| 43 | + | century21keim.com/ c7xb2xy |
| 44 | - | folkchata.pl/ wmm4i0 |
| 44 | + | certifiedbanker.org/ obmv6590 |
| 45 | - | follyfoot.org/ todl3fc |
| 45 | + | cg.wandashops.com/ evqbfwkx |
| 46 | - | garnelenfarm.net/ jixh4iz |
| 46 | + | clients.seospell.co.in/ fkn67zy |
| 47 | - | genius-versand.de/ 9kme7u |
| 47 | + | climairuk.com/ h32k491o |
| 48 | - | hate-metal.com/ hre8fqo |
| 48 | + | climatizareonline.ro/ azkqs |
| 49 | - | hoosiernetwork.com/ 6oa4xhk |
| 49 | + | |
| 50 | - | hotstreams.ru/ o1cri71 |
| 50 | + | dentalshop4you.nl/ m22brjfz |
| 51 | - | hudebiah.net/ uhpdylx4 |
| 51 | + | disneyexperience.com/ psyyhe |
| 52 | - | ilbalconcino2011.it/ bzukq |
| 52 | + | elviraminkina.com/ ojyq1 |
| 53 | - | ingstroymash.ru/ m92xv |
| 53 | + | empiredeckandfence.com/ h2uppib |
| 54 | - | itc.slav.dn.ua/ w4b7m0 |
| 54 | + | euro-support.be/ rdl3n7u |
| 55 | focolareostuni.it/ 0k2ren | |
| 56 | - | marchandedidees.fr/ o1236qw |
| 56 | + | freesource.su/ ijugasq1 |
| 57 | - | maydenehotelblackpool.com/ 4qjb81gs |
| 57 | + | grantica.ru/ 6hjli |
| 58 | - | modband.com/ a4jw2if |
| 58 | + | honeystays.co.za/ siu2k |
| 59 | - | mr2peter.de/ myu3a6ge |
| 59 | + | ideograph.com/ k7qfsxx |
| 60 | - | namifitnessclub.it/ c6y9dcms |
| 60 | + | imetinyang.za.pl/ 74hd4by5 |
| 61 | - | newgeneration2010.it/ cx6uxxg5 |
| 61 | + | immoclic.o2switch.net/ styvuwti |
| 62 | - | newpark.co.uk/ 54yp9 |
| 62 | + | jd-products.nl/ xjld131 |
| 63 | - | oavb.com/ 9hh3ybox |
| 63 | + | |
| 64 | - | potolok-profit.ru/ od0xz9xv |
| 64 | + | margohack.za.pl/ wkiokl |
| 65 | matvil8.freehostia.com/ 64tmb1 | |
| 66 | - | saintkatherine.orthodoxy.ru/ 5uj4u6 |
| 66 | + | mycreativeprint.com/ mqib9te |
| 67 | - | staffsolut.nichost.ru/ qimiiud |
| 67 | + | oakashandthorn.charybdis.seedboxes.cc/ f7ge4y3k |
| 68 | - | turniejkrzyz.za.pl/ fz0i11 |
| 68 | + | promoresults.com.au/ gx4al |
| 69 | - | uas-aas.ca/ 4bwbk5 |
| 69 | + | |
| 70 | - | usdavetrana.it/ c474o |
| 70 | + | tip.ub.ac.id/ k2e32vh |
| 71 | - | vonenidan.de/ kdwytr |
| 71 | + | www.centroinfantilelmolino.com/ 60wfh |
| 72 | - | www.johnlodgearchitects.com/ fx89v |
| 72 | + | www.darkhollowcoffee.com/ oqlyd9m |
| 73 | - | www.puertasjoaquin.com/ nl5tl |
| 73 | + | www.ellicottcitypediatrics.com/ 7d6sdl |
| 74 | www.keven.site.aplus.net/ fmlonxl | |
| 75 | ||
| 76 | *Sampled downloaded and decoded*: | |
| 77 | - | File Name: fksdOKooVkA.exe |
| 77 | + | |
| 78 | - | MD5: 8137DC850A9F2593F331A149D6CC17CF |
| 78 | + | File Name: 9oaELw13vFr7w.exe |
| 79 | - | VT 13/54 - https://virustotal.com/en/file/6f292ac37fb327ce7223f4e7d58b93f0f3038f279ac54348c2cef430aacc44d8/analysis/ |
| 79 | + | MD5: 4d48a039371d95e49b8ef7c4e2459946 |
| 80 | VT 4/56 - https://virustotal.com/en/file/e5a6828f732bea6b66c4f6d850b235f6c1f139b10f8d9f2c3760298cfd88c163/analysis/ | |
| 81 | ||
| 82 | For this campaign the argument passed to the Locky dropper is no more 123 but 321. Credit to @siri_urz |
