Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-05 Locky email phishing campaign "05122016xxxxxxxx"
- Sample email:
- ----------------------------------------------------------------------------------------------------------------------
- From: Socorro wearing <Socorro.wearing181@in-master.ru>
- To: [REDACTED]
- Subject: 051220160723551593
- Date: Mon, 05 Dec 2016 07:23:55 +0430
- Attachment: 051220160723551593.zip -> 201612042153174772571709.vbs
- ----------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "<04 or 05>122016<random digits>"
- - email body is empty
- - attached file "<04 or 05>122016<random digits>.zip" (same as subject) contains file "201612<04 or 05><15 or 16 digits>.vbs", a VBScript downloader
- Download sites:
- http://admin3.rtaf.mi.th/8765r
- http://buhoutserts.ru/8765r
- http://chanet.jp/8765r
- http://guardian-angels-diva.de/8765r
- http://haibeiwuliu.com/8765r
- http://hzxihe.com/8765r
- http://linghangcj.com/8765r
- http://markettv.ro/8765r
- http://maycongtrinhduylong.com/8765r
- http://natashacollis.com/8765r
- http://ruifengweb.com/8765r
- http://rulebraker.ru/8765r
- http://szwanrong.com/8765r
- http://temai1.com/8765r
- http://travelinsider.com.au/8765r
- http://tx318.com/8765r
- http://ucbus.net/8765r
- http://u-niwon.com/8765r
- http://valuationssa.com.au/8765r
- http://vipseal.de/8765r
- http://viscarci.com/8765r
- http://wdcd999.com/8765r
- http://wiky.net/8765r
- http://windshieldrepairvancouver.ca/8765r
- http://wiselysoft.com/8765r
- http://wishingwellhosting.com.au/8765r
- http://wszystkodokuchni.pl/8765r
- http://wudiai.com/8765r
- http://xlr8services.com/8765r
- http://xn--pasaer-spb.pl/8765r
- http://youspeak.pt/8765r
- http://zhiyuw.com/8765r
- http://zwljfc.com/8765r
- Malware:
- - encoded on download, SHA256 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e, MD5 529789f27eb971ff822989a5247474ce
- - decoded SHA256 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf, MD5 5edfc64e72dd2b591a2aa6549353beba
- - execute by "rundll32.exe %TEMP%\<filename>.343,mix"
- C2:
- POST http://195.19.192.99/information.cgi
- POST http://91.142.90.61/information.cgi
- POST http://eabfhwl.ru/information.cgi
- POST http://olyedawaki.pl/information.cgi
- POST http://owvtbqledaraqq.su/information.cgi
- POST http://qtuanjdpx.info/information.cgi
- POST http://uwiyklntlxpxj.work/information.cgi
- POST http://uxwfukfqxhydqawmf.su/information.cgi
Add Comment
Please, Sign In to add comment