Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-23 #locky email phishing camapaign "Document from xxxxxx"
- Email:
- --------------------------------------------------------------------------------------
- From: Rosanna hockey <Rosanna7089@gmail.com>
- To: [REDACTED]
- Subject: [SUSPICIOUS MESSAGE] Document from Rosanna
- Date: Fri, 23 Sep 2016 11:51:01 +0100
- Attachment: DOC-20160923-WA00059.docm
- --------------------------------------------------------------------------------------
- - sender varies between emails, but the sender domain is always @gmail.com
- - subject is "Document from <name matching sender>"
- - body of the email is empty
- - attached file "DOC-20160923-WA000<random number>.docm" is a macro-enabled Microsoft Word document that will download malware from:
- Download sites:
- http://alabamataskforce1.com/bdb37
- http://altechleasing.com/bdb37
- http://attractionhairandbeauty.com/bdb37
- http://autorijschoolpedro.nl/bdb37
- http://azerltd.com/bdb37
- http://catcsr.com/bdb37
- http://cignitech.com/bdb37
- http://fcafrica.org/bdb37
- http://giaythethaonike.com/bdb37
- http://melbourneacousticduo.com/bdb37
- http://rentalcartours.net/bdb37
- http://teknodate.com/bdb37
- http://ubonria.com/bdb37
- http://umieki.net/bdb37
- http://vmastera.ru/bdb37
- http://welovekgc.com/bdb37
- http://www.GANANDO.MX/bdb37
- http://www.sikharaprojects.com/bdb37
- UPDATE:
- http://ecoledesalsa.com/bdb37
- http://gokmasan.com/bdb37
- http://sotorentals.com/bdb37
- UPDATE2:
- http://cynonnet.com/bdb37
- http://demo.dhrutidesign.com/bdb37
- http://ftpandina.atv.com.pe/bdb37
- http://inanre.com/bdb37
- http://mahboob-e-rehmani.com/bdb37
- http://purebanquet.com/bdb37
- http://reseat.us/bdb37
- http://rutlandhall.com/bdb37
- Malware
- - encoded on download, SHA256 8c6da59e696bac4f9d5aa712afed5da22bfded628beac6d2f7f4da798cb5bed4, filesize 234496 bytes [1]
- - encoded on download, SHA256 04ee6075f061022a342b1aee093feb552f554d7897b08e87588640d354519ca1, filesize 184320 bytes [2]
- - decoded SHA256 8e00baff0d71259f7d1648871f1b135f76feed814782b438ccf0e7eaa43f6b05 [1]
- - decoded SHA256 914a3f5c518087e4e49509610ea4367a9e9f3301b3a42682606616ace56215ab [2]
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- -samples
- https://www.reverse.it/sample/9041479d72527f7dea6a8fe1a6f9786df7e8fcdb1e3aa5513b3e13c2f0c83c55?environmentId=100
- https://www.reverse.it/sample/537870eb6ccd5dfade1d5366b9654716891b6bcb304bf3304b1fb0e9d0ac6fcb?environmentId=100
- https://www.reverse.it/sample/462366a208b0739b01d71fb0d44bf09076820c0ccc3e181139dc2addac45b6a8?environmentId=100
- https://www.reverse.it/sample/a35ef12e3019c1525b60d06bbd4aa3921a30b0a2b578e35ee4fb09b364bcd0ea?environmentId=100
- https://www.reverse.it/sample/31a40251eac180b0a24d53a92f530cb8d6c61db2d6b3e9aac9b4d834bfeb0ba5?environmentId=100
- https://www.reverse.it/sample/c34a253e6bf03692c180a028b0ac9643fc5f2b155566243a83039f5e6629456b?environmentId=100
- https://www.reverse.it/sample/d9f73a4d39205954203c38dd7329703b4f83037785749d561eccb10655b0a421?environmentId=100
- https://www.reverse.it/sample/98e5a7c94b419697156d19dbc2e34f7c3fda4949e6beed2309eb4dc434da8d2a?environmentId=100
- https://www.reverse.it/sample/fd47c43f9f505a6f128b5265a20265093bb63ff8811ae4fd856f2bf3958f1b02?environmentId=100
- https://www.reverse.it/sample/be0aaa382075b4aa72a8eb70f6bf44233ad2c494fb677677eafb23762093815d?environmentId=100
- https://www.reverse.it/sample/d2a3c0a2f270a3f356d12c69dee292da7652ffe67a78e5e67cf21f50cd21d75d?environmentId=100
- C2:
- POST 158.255.6.129:80/data/info.php
- POST 94.242.57.152:80/data/info.php
- POST jfmiondv.xyz:80/data/info.php [91.239.235.130]
- POST wnrgttsfmhfmmoqxm.biz:80/data/info.php [69.195.129.70]
- POST eapsylykyvfkjbctn.biz:80/data/info.php [95.211.174.92]
- POST tswsgajtwhqkosd.su:80/data/info.php [91.239.235.130]
Add Comment
Please, Sign In to add comment