Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-02 #locky email phishing campaign "Emailing: EPS0000xxx"
- Email sample:
- --------------------------------------------------------------------------------------------------------------
- From: "eli" <eli.spears@[REDACTED]>
- To: [REDACTED]
- Subject: Emailing: EPS0000697
- Date: Fri, 02 Dec 2016 18:20:30 +0530
- Please find attachment.
- ---
- This email has been checked for viruses by Avast antivirus software.
- https://www.avast.com/antivirus
- Attachment: EPS0000697.docm
- --------------------------------------------------------------------------------------------------------------
- - sender varies between emails, but the sender address is faked to be from recipient's domain
- - subject is "Emailing: EPS0000<1-3 digits>"
- - attached file "EPS0000<1-3 digits>.docm" is a Microsoft Word document with malicious macro that will download from
- Download sites:
- http://puchipuchivirus.com/74t3nf4gv4
- http://rnaweb.nl/74t3nf4gv4
- http://seyahatdanismani.net/74t3nf4gv4
- http://shangtaomao.com/74t3nf4gv4
- http://sieuthicuadep.com/74t3nf4gv4
- http://silverhand.eu/74t3nf4gv4
- http://skladst.ru/74t3nf4gv4
- http://skpc.org.au/74t3nf4gv4
- http://smoki.neostrada.pl/74t3nf4gv4
- http://sobretesis.com/74t3nf4gv4
- http://solid-consulting.nl/74t3nf4gv4
- http://sorata.iweb.hu/74t3nf4gv4
- http://space4elephants.org/74t3nf4gv4
- http://spartech.pl/74t3nf4gv4
- http://speciaaldesign.nl/74t3nf4gv4
- http://sport-bike.pl/74t3nf4gv4
- http://sportwr1.pl/74t3nf4gv4
- http://steamingaudio.myzen.co.uk/74t3nf4gv4
- http://storebet.ru/74t3nf4gv4
- http://subuys.com/74t3nf4gv4
- http://sudarsan.net/74t3nf4gv4
- http://sudeepgurtu.com/74t3nf4gv4
- http://syedtradingco.com/74t3nf4gv4
- http://syjcfw.com/74t3nf4gv4
- http://taikosushibar.com.br/74t3nf4gv4
- http://tandsmil.dk/74t3nf4gv4
- http://tansontravel.com/74t3nf4gv4
- http://taokefx.com/74t3nf4gv4
- http://tatooshsfds.com/74t3nf4gv4
- http://tbhomeinspection.com/74t3nf4gv4
- http://teknoportbilisim.com/74t3nf4gv4
- http://telasbellavista.cl/74t3nf4gv4
- http://thecodega.com/74t3nf4gv4
- http://thesalesmob.com/74t3nf4gv4
- http://thesprezzatura.com/74t3nf4gv4
- http://thesurfbreak.com/74t3nf4gv4
- http://threepoints.co.nz/74t3nf4gv4
- http://thxlove.com/74t3nf4gv4
- http://tidytrend.com/74t3nf4gv4
- http://tinybearshop.com/74t3nf4gv4
- http://tishana.es/74t3nf4gv4
- http://tobybender.com/74t3nf4gv4
- http://tollytalkies.com/74t3nf4gv4
- http://tomhermans.be/74t3nf4gv4
- http://translate-all.eu/74t3nf4gv4
- http://tribech.com/74t3nf4gv4
- http://tritel.com.my/74t3nf4gv4
- http://ttrutesheim.de/74t3nf4gv4
- http://usaegisgroup.com/74t3nf4gv4
- http://uytinviet.com/74t3nf4gv4
- http://vakiapaint.com.vn/74t3nf4gv4
- http://vazmaz.com/74t3nf4gv4
- http://vegasorder.com/74t3nf4gv4
- http://vvenusselection.es/74t3nf4gv4
- http://vertimex.ro/74t3nf4gv4
- http://villaphenomena.com/74t3nf4gv4
- http://vipgwj.com/74t3nf4gv4
- http://vipseal.de/74t3nf4gv4
- http://viviendadelrincon.com/74t3nf4gv4
- UPDATED:
- ralphkunze.de/74t3nf4gv4
- raovat4u.com/74t3nf4gv4
- rhinohosts.com/74t3nf4gv4
- sid.com.hk/74t3nf4gv4
- slagelse-maskinforretning.dk/74t3nf4gv4
- snt34.fr/74t3nf4gv4
- sokenthai.com/74t3nf4gv4
- solmachine.cl/74t3nf4gv4
- sonunda.biz/74t3nf4gv4
- soulson.de/74t3nf4gv4
- sozgroup.com/74t3nf4gv4
- spoiltgirlsclub.com/74t3nf4gv4
- ssrips.com/74t3nf4gv4
- stjohns2012.ca/74t3nf4gv4
- swivelsrus.com/74t3nf4gv4
- taghdis.ir/74t3nf4gv4
- techpow.net/74t3nf4gv4
- theory.issp.ac.cn/74t3nf4gv4
- tiffeat.com/74t3nf4gv4
- torbellon.com/74t3nf4gv4
- trackdayphotography.co.uk/74t3nf4gv4
- trehoada.org/74t3nf4gv4
- trendsandtrades.nl/74t3nf4gv4
- trilab.sk/74t3nf4gv4
- tt-comp.ru/74t3nf4gv4
- ttvtelecom.vn/74t3nf4gv4
- u-flats.com/74t3nf4gv4
- v4c.tv/74t3nf4gv4
- veredictofutbol.com/74t3nf4gv4
- vertex-shop.ru/74t3nf4gv4
- viacon.lt/74t3nf4gv4
- vichycoconutoil.com/74t3nf4gv4
- villa31.com/74t3nf4gv4
- vioozmovies.net/74t3nf4gv4
- virtuapoint.com/74t3nf4gv4
- vkd.asia/74t3nf4gv4
- Malware:
- - encoded on download SHA256 3a47529ce9871c0b74c724b4ec4ee4986ae3bbbcbe62a8273291f134498c02e0, MD5 e7dce422e0fc509ef7f6c3e94a2e70b6
- - decoded SHA256 6292c2b85b29c9dc019f731f7f2ab488876a15b49d71444f075f87712107a7fa, MD5 7e46c1d13c4ac408ef49646be8b4eab0
- - executed by "rundll32.exe %TEMP%\<dll_name>,phone"
- - sample: https://www.reverse.it/sample/5741c2ed76233840094e4f0248cc69d6e8a45fee36533f9a3400395ed25aecba?environmentId=100
- C2:
- POST http://195.19.192.99:80/information.cg
- POST http://91.142.90.61:80/information.cgi
- POST http://69.195.129.70:80/information.cgi
- jehehrngyoenjh.org
- tcskreweaeutgxu.pl
- hdgpfnmathnp.org
- bkclkuoxuwnfxo.work
- dxbwjnbalejcuaht.ru
- qcynnhb.ru
- csmyyfebowkvjxm.biz
- assxnyqmrtmiwnvqd.su
- bvaclaneoelbnk.pw
- thcoknhraephkxgi.su
- lquuqkf.org
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement