API tools faq
paste
Racco42

2016-12-05 Locky "05122016xxxxxx"

Racco42
Dec 5th, 2016
1,533
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.40 KB | None | 0 0
raw download clone embed print report
  1. 2016-12-05 Locky email phishing campaign "05122016xxxxxxxx"
  2.  
  3. Sample email:
  4. ----------------------------------------------------------------------------------------------------------------------
  5. From: Socorro wearing <Socorro.wearing181@in-master.ru>
  6. To: [REDACTED]
  7. Subject: 051220160723551593
  8. Date: Mon, 05 Dec 2016 07:23:55 +0430
  9.  
  10. Attachment: 051220160723551593.zip -> 201612042153174772571709.vbs
  11. ----------------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is "<04 or 05>122016<random digits>"
  14. - email body is empty
  15. - attached file "<04 or 05>122016<random digits>.zip" (same as subject) contains file "201612<04 or 05><15 or 16 digits>.vbs", a VBScript downloader
  16.  
  17. Download sites:
  18. http://admin3.rtaf.mi.th/8765r
  19. http://buhoutserts.ru/8765r
  20. http://chanet.jp/8765r
  21. http://guardian-angels-diva.de/8765r
  22. http://haibeiwuliu.com/8765r
  23. http://hzxihe.com/8765r
  24. http://linghangcj.com/8765r
  25. http://markettv.ro/8765r
  26. http://maycongtrinhduylong.com/8765r
  27. http://natashacollis.com/8765r
  28. http://ruifengweb.com/8765r
  29. http://rulebraker.ru/8765r
  30. http://szwanrong.com/8765r
  31. http://temai1.com/8765r
  32. http://travelinsider.com.au/8765r
  33. http://tx318.com/8765r
  34. http://ucbus.net/8765r
  35. http://u-niwon.com/8765r
  36. http://valuationssa.com.au/8765r
  37. http://vipseal.de/8765r
  38. http://viscarci.com/8765r
  39. http://wdcd999.com/8765r
  40. http://wiky.net/8765r
  41. http://windshieldrepairvancouver.ca/8765r
  42. http://wiselysoft.com/8765r
  43. http://wishingwellhosting.com.au/8765r
  44. http://wszystkodokuchni.pl/8765r
  45. http://wudiai.com/8765r
  46. http://xlr8services.com/8765r
  47. http://xn--pasaer-spb.pl/8765r
  48. http://youspeak.pt/8765r
  49. http://zhiyuw.com/8765r
  50. http://zwljfc.com/8765r
  51.  
  52. Malware:
  53. - encoded on download, SHA256 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e, MD5 529789f27eb971ff822989a5247474ce
  54. - decoded SHA256 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf, MD5 5edfc64e72dd2b591a2aa6549353beba
  55. - execute by "rundll32.exe %TEMP%\<filename>.343,mix"
  56.  
  57. C2:
  58. POST http://195.19.192.99/information.cgi
  59. POST http://91.142.90.61/information.cgi
  60. POST http://eabfhwl.ru/information.cgi
  61. POST http://olyedawaki.pl/information.cgi
  62. POST http://owvtbqledaraqq.su/information.cgi
  63. POST http://qtuanjdpx.info/information.cgi
  64. POST http://uwiyklntlxpxj.work/information.cgi
  65. POST http://uxwfukfqxhydqawmf.su/information.cgi
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!