Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-29 #locky email phishing campaign "[Scan] 201611dd hh:mm:ss"
- Email sample:
- -----------------------------------------------------------------------------------------------------------------
- From: "OPHELIA DESAVIGNY" <ophelia.desavigny.23147@walkerspartnership.co.uk>
- To: [REDACTED]
- Subject: [Scan] 2016-1130 05:29:50
- Date: Wed, 30 Nov 2016 05:29:50 +0530
- --
- Sent with Genius Scan for iOS.
- Attachment: "2016-1130 05-29-50.zip" -> "2016-1125 14-23-13.vbs"
- -----------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "[Scan] 201611<29|30> <time in 24hours hh:mm:ss format>"
- - attached file "2016-11<29|30> <time in 24hours hh:mm:ss format>.zip" contains file "2016-11<29|30> <time in 24hours hh:mm:ss format>.vbs", a VBScript downloader
- Download sites:
- http://2012.rikschataxi.ch/987t67g
- http://betagmino.net/987t67g
- http://rafaelleon.es/987t67g
- http://raivel.pt/987t67g
- http://rao24gio.com/987t67g
- http://raycon.ph/987t67g
- http://razborka-vigonka.ru/987t67g
- http://receptoare-satelit.ro/987t67g
- http://reliatemp.net/987t67g
- http://remarkable-frames.com/987t67g
- http://remstirmash42.ru/987t67g
- http://renklerle.com/987t67g
- http://rentalpark.com.ar/987t67g
- http://rhodemlogic.com/987t67g
- http://rightone.ie/987t67g
- http://ripasso.nl/987t67g
- http://rmtnet.co.uk/987t67g
- http://rnitechnology.com/987t67g
- http://roadtex.ro/987t67g
- http://romanstars.com/987t67g
- http://room8008.com/987t67g
- http://rotakin.org/987t67g
- http://royaloakripon.co.uk/987t67g
- http://rueegger.ch/987t67g
- http://ruf.com.ar/987t67g
- http://ryrszs.com/987t67g
- http://sabinemerz.nl/987t67g
- http://sadeqmedia.com/987t67g
- http://sagaoil.ro/987t67g
- http://saista.jp/987t67g
- http://salemwitchcat.com/987t67g
- http://samdef.org/987t67g
- http://samviethan.com/987t67g
- http://sandinthesky.com/987t67g
- http://sarawakcars.com/987t67g
- http://sawadi.at/987t67g
- http://sazonperuana.cl/987t67g
- http://schjtx.com/987t67g
- http://schofieldandsmith.co.uk/987t67g
- http://scope-t.com/987t67g
- http://sdntqg.com/987t67g
- http://spunbaku.com/987t67g
- Malware
- - encoded on download, SHA256 913ef64659ae5f5efc8c5d792326a663c4d545d9b7452affee265984c74ae7e5, MD5 ae88127ed9f8451f730312cbbe44e91d
- - decoded SHA256 4580a67b6eedcf233f9c74723635d89f29ccf1cc58fe0c12ef0b8aa80e38aa73, MD5 c7b49ae21e22eab80c938e4a74d1bea6
- - executed by "rundll32.exe %TEMP%\<filename>.342,aqua"
- - sample
- https://www.virustotal.com/file/4580a67b6eedcf233f9c74723635d89f29ccf1cc58fe0c12ef0b8aa80e38aa73/analysis/1480482005/
- https://www.hybrid-analysis.com/sample/1702b64a46c75ab129a7ecbed947f4491004963efda8aa3b8a2ac730ac1490cb?environmentId=100
- C2:
- POST http://95.213.195.123:80/information.cgi
- POST http://91.142.90.61:80/information.cgi
- hqngufxf.info
- smxqfps.biz
- eydyupykxdss.info
- mwdbfjyjvu.xyz
- ifsmpyiovb.info
- rmiqikrhntdhwub.biz
- gxqhtawh.org
- tscfgoforiajo.pw
Add Comment
Please, Sign In to add comment