Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-19: #locky email phishing campaign "Payslip for the month Dec 2016"
- Sample email:
- ------------------------------------------------------------------------------------------------------------------
- From: RUTHIE TORDOFF <ruthie.tordoff@damienelsing.com>
- To: [REDACTED]
- Subject: Payslip for the month Dec 2016.
- Date: Mon, 19 Dec 2016 16:43:51 +0500
- Dear customer,
- We are sending your payslip for the month Dec 2016 as an attachment with this mail.
- Note: This is an auto-generated mail. Please do not reply.
- Attachment: Payslip_Dec_2016_7705596.doc
- ------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Payslip for the month Dec 2016."
- - attached file "Payslip_Dec_2016_<5-8 digits>.doc" is a Microsoft Word 2007+ file with macro that will download malware
- Download sites:
- http://023pc.cn/8hrnv3
- http://abatjour.be/8hrnv3
- http://adygkomnac.ru/8hrnv3
- http://aguamineralsantacruz.com.br/8hrnv3
- http://airportrentacar.ro/8hrnv3
- http://alimobiles.com.ua/8hrnv3
- http://allard-g.be/8hrnv3
- http://almrausch.tv/8hrnv3
- http://archindonesia.com/8hrnv3
- http://as-kanal-rohrreinigung.de/8hrnv3
- http://aspecta-aso.net/8hrnv3
- http://audehd.com/8hrnv3
- http://audreyetsteve.fr/8hrnv3
- http://axmetrix.com/8hrnv3
- http://bastacycling.com/8hrnv3
- http://baugildealtmark.de/8hrnv3
- http://belgarion.eu/8hrnv3
- http://berstetaler.de/8hrnv3
- http://birdhausdesign.com/8hrnv3
- http://blackseo.ir/8hrnv3
- http://blendpak.com/8hrnv3
- http://bperes.com.br/8hrnv3
- http://brainfreezeapp.com/8hrnv3
- http://convergencevineyards.com/8hrnv3
- http://cycollierville.com/8hrnv3
- http://delreywindows.com/8hrnv3
- http://democracyandsecurity.org/8hrnv3
- http://drwonder.org/8hrnv3
- http://e-vime.com/8hrnv3
- http://factoryfreeapparel.com/8hrnv3
- http://fastfine.ru/8hrnv3
- http://franjaroja.emcali.net.co/8hrnv3
- http://friendlygeek.org/8hrnv3
- http://garosero5.com/8hrnv3
- http://globaser3000.com/8hrnv3
- http://gluten-free-on.net/8hrnv3
- http://gps.50webs.com/8hrnv3
- http://grafiquesvaros.com/8hrnv3
- http://growing-e-m.com/8hrnv3
- http://gyoda.v.wol.ne.jp/8hrnv3
- http://halogen.dp.ua/8hrnv3
- http://oliverkuo.com.au/8hrnv3
- http://pliki-kirbyworld.50webs.com/8hrnv3
- http://routerpanyoso.50webs.com/8hrnv3
- http://skyers.awardspace.com/8hrnv3
- http://www.andmax-rehabilitacja.pl/8hrnv3
- http://www.bandhiga.com/8hrnv3
- http://www.clinicafisiosan.com/8hrnv3
- http://www.cryoniq.com/8hrnv3
- http://www.de-klinker.be/8hrnv3
- http://www.foyerstg.pro/8hrnv3
- http://www.globalchristiantrust.com/8hrnv3
- http://www.neumayr-alkoven.com/8hrnv3
- http://www.texasredzonereport.com/8hrnv3
- http://zimbabweaids.awardspace.com/8hrnv3
- Malware:
- - encoded on download
- SHA256 36ec2edae1dfd19f201223dd0b101494c33d092e2884288fecd8615cd86cd993, MD5 539ff4ca8d5a2ef6ab7297c4788c9e7d
- SHA256 27f256daf811b85b8cdfe9efa1235bc59ff99ecf2c0f909155fdf3d646ebfdcc, MD5 30ffab27be3ca772b1bf8c97b22b9fdc
- - decoded
- SHA256 a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3, MD5 e93bbc2feaf005d85affbadc1abb39e9
- SHA256 877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07, MD5 b2c125eb7d8186e1a4d52c411b94dd58
- - executed by "rundll32.exe %TEMP%\<filename>.ero,money"
- - samples
- https://www.virustotal.com/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/1482159947/
- https://www.virustotal.com/file/877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07/analysis/1482188600/
- C2:
- POST http://188.127.239.48/checkupdate
- POST http://91.223.180.3/checkupdate
- POST http://176.121.14.95/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement