Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-21: #locky email phishing campaign "Bills"
- Email sample:
- ----------------------------------------------------------------------------------------------------------------------------
- From: JACQUELINE BAILLIE <jacqueline.baillie@ccomme.net>
- To: [REDACTED]
- Subject: Bills
- Date: Wed, 21 Dec 2016 13:10:08 -0300
- Hi,
- Please check the attached doc above.
- Jacqueline
- Attached: 677749022948_0001.docm
- ----------------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Bills"
- - attached file "<12 digits>_0001.docm" is a Microsoft Word 2007+ file containing macro that will download malware:
- Download sites:
- http://192.138.189.69/87gyub
- http://1maximus.ru/87gyub
- http://adminca.se/87gyub
- http://alaliengineering.net/87gyub
- http://aministudio.com/87gyub
- http://artlab.co.il/87gyub
- http://avenueresto.com/87gyub
- http://baraderoteinforma.com.ar/87gyub
- http://bilestone.ru/87gyub
- http://bluelunar.net/87gyub
- http://charlenelouw.co.za/87gyub
- http://corlouis.com/87gyub
- http://diemsolutions.com/87gyub
- http://eagleslearning.com/87gyub
- http://edunayok.org/87gyub
- http://elaissaoui.nl/87gyub
- http://esteknik.net/87gyub
- http://fallingspringrun.com/87gyub
- http://fondazioneprogenies.com/87gyub
- http://forstmog.de/87gyub
- http://frankfoeckler.de/87gyub
- http://friedensschlag.de/87gyub
- http://fsamson.com/87gyub
- http://gadgetdealz.net/87gyub
- http://gages-56.com/87gyub
- http://greatgoods2.bravepages.com/87gyub
- http://habets.info/87gyub
- http://handicraftmag.com/87gyub
- http://hid2s.com/87gyub
- http://hostalmilabi.com/87gyub
- http://hostingjoomla.be/87gyub
- http://householdanimals.50webs.com/87gyub
- http://housellaw.com/87gyub
- http://iachovski.com/87gyub
- http://inchallahrencontre.net/87gyub
- http://inzt.net/87gyub
- http://ipt.se/87gyub
- http://isriir.com/87gyub
- http://izmirisgb.com/87gyub
- http://janvanduikeren.com/87gyub
- http://jayacoat-industries.com.my/87gyub
- http://jiger.ru/87gyub
- http://kayju.com/87gyub
- http://keralavoter.com/87gyub
- http://kmwine.ge/87gyub
- http://knightsure.co.uk/87gyub
- http://kodivac.com/87gyub
- http://kungfumasterwang.com/87gyub
- http://ldagnes.pl/87gyub
- http://lijschool.com/87gyub
- http://macoinservicios.com/87gyub
- http://mass-appeal.com/87gyub
- http://minilab.ca/87gyub
- http://multielectricos.com/87gyub
- http://mysolosource.com/87gyub
- http://namecardcenter.net/87gyub
- http://nanomedilac.com/87gyub
- http://naturalcode-thailand.com/87gyub
- http://naughtypixelads.com/87gyub
- http://no1archeryandsports.ca/87gyub
- http://noisecontrols.com/87gyub
- http://noosnegah.com/87gyub
- http://paplanindustries.com/87gyub
- http://parentchildmothergoose.com/87gyub
- http://personalizedleatherbracelet.com/87gyub
- http://phayamengrai.chiangrai.doae.go.th/87gyub
- http://pozsgaiingatlan.hu/87gyub
- http://residencegardenia.it/87gyub
- http://revolutionarymom.com/87gyub
- http://samasamanehgroup.com/87gyub
- http://seolandia.pl/87gyub
- http://shouxinghg.com/87gyub
- http://speaklifegreetings.com/87gyub
- http://spk-bk.ru/87gyub
- http://spmoya-semya.ru/87gyub
- http://stav-reporter.ru/87gyub
- http://stuifmeelenstamper.be/87gyub
- http://taddboxers.com/87gyub
- http://tanz-trommeln.at/87gyub
- http://theservantsoflove.com/87gyub
- http://travelinsider.com.au/87gyub
- http://travicoperu.com/87gyub
- http://usedtextilemachinerylive.com/87gyub
- http://vmarzal.com/87gyub
- http://web4-magento.com/87gyub
- http://webplatter.com/87gyub
- http://www.azrodandclassic.com/87gyub
- http://www.genesisbilling.net/87gyub
- http://www.judo-hattingen.de/87gyub
- http://www.junaida.com/87gyub
- http://www.langeoog-meerleben.de/87gyub
- http://www.rencontreparis.org/87gyub
- http://www.tenji-guide.com/87gyub
- http://xfjt.org/87gyub
- http://yorkshire-pm.com/87gyub
- Malware:
- - encoded on download SHA256 2974569356b5f22d79af8d0ed9efbdc20a9a4e8dd8831a84f9f6568bc5df3a5a, MD5 2a85c6d7673d685aa3d1d29b82f9b9ff
- - decoding (XOR) key: zuOBnhTXfSI4u0R2S24aaSauh99btOss
- - decoded SHA256 8e451a03d9abf4767b65bc06f2659db11ddeea2049f556191a3f5cd2ba6534e4, MD5 d4d8887e188d5dd86cb1f99d8c9912e5
- - executed by "rundll32.exe %TEMP%\<filename>.aza,pass"
- - sameple https://www.virustotal.com/file/8e451a03d9abf4767b65bc06f2659db11ddeea2049f556191a3f5cd2ba6534e4/analysis/1482396386/
- C2:
- POST http://109.234.38.128/checkupdate
- POST http://176.121.14.95/checkupdate
- POST http://193.201.225.124/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement