API tools faq
paste
Advertisement
Racco42

2016-09-26 Locky "Updated invoice #xxxxxxx"

Racco42
Sep 26th, 2016
1,843
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.91 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-26 #locky email phishing camapign "Updated invoice #xxxxxxx"
  2.  
  3. Email:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: "Neva Le" <Le.00@xtremeblue.com>
  6. To: [REDACTED]
  7. Subject: Updated invoice #2677475
  8. Date: Mon, 26 Sep 2016 21:52:41 +0430
  9.  
  10. Our sincere apology for the incorrect invoice we sent to you yesterday.
  11. Please check the new updated invoice #2677475 attached.
  12. We apologize for any inconvenience.
  13.  
  14. -------
  15. Neva Le
  16. nt of Business Development
  17. Tel.: (199) 555-52-43
  18.  
  19. Attachement: 6355926e2aee.zip
  20. ------------------------------------------------------------------------------------------------------------------
  21. - sender varies between emails
  22. - subject is "Updated invoice #<7 numbers>"
  23. - attached file "<random hexa numbers>.zip" contain a one-letter named junk file and "Updated invoice pdf <random hexa chars>.wsf" a JScript downloader.
  24.  
  25. Download sites:
  26. http://alexor.net/8kms9q
  27. http://artpiked.com/1yzwrnh
  28. http://artpiked.com/3r39f
  29. http://birdemetresim.com/zdqmue
  30. http://cast4all.com/gvm3k2
  31. http://digital-print.ru/xnq6ds
  32. http://easyfo.net/pft0xk0u
  33. http://extramileteam.com/fvjo7o
  34. http://faadn.com/l14mq
  35. http://fedstone.ru/b04bwkf
  36. http://fungasoap.net/crq2th
  37. http://genelev.net/925y05n
  38. http://gold-insurance.com/xv3ebctc
  39. http://greenshootmedia.com/dcenlt
  40. http://hentai.tc/53a0snpy
  41. http://hlh.sk/pbd756z
  42. http://hotelikbej.pl/ild3ha8
  43. http://hotelsforsaleinspain.com/29woa6s
  44. http://hunt-magazine.com/jape3
  45. http://hurrychufa.com/29woa6s
  46. http://hurrychufa.com/4kspi
  47. http://iloveyf.com/jmt7ph
  48. http://inform-ug.ru/mqymhdx
  49. http://inspiredgear.sg/7p3fsnr
  50. http://insta-follower.com/82p61t
  51. http://judgedeborahshallcross.com/dm1e4e9j
  52. http://knaravan.org/d84k2p
  53. http://limaxmesse.com/2qxsunng
  54. http://limaxmesse.com/4lv41gpx
  55. http://liteklighting.com/7w2lu3
  56. http://literbest.ru/f37u3
  57. http://lomtalay.com/gadfdv
  58. http://metavial.com/i76w9lel
  59. http://mischiefexpeditions.asia/8ybs4j
  60. http://mospi.ru/53kn60wz
  61. http://musicbarpriatelia.sk/6210i9gk
  62. http://nybeauty.com/8whuh6fw
  63. http://on-point.be/jce90dk9
  64. http://paitano.com/xc17228k
  65. http://prod23.ru/v451a3
  66. http://rennie-mackintosh-jewellery.co.uk/pl8ka
  67. http://rusdram.com.ua/aggfdu5q
  68. http://sakurabridal.com/j9tfmtid
  69. http://sarayutechnologies.com/gxa286yl
  70. http://sobretesis.com/np59sp5b
  71. http://social-jump.com/5fnwlc1m
  72. http://tarjetamedicapop.com/5zyp3yz
  73. http://teknidataconsultores.com/vy05sk
  74. http://thomasduncanwatt.com/q55vec
  75. http://tpidbanjarmasin.org/g5r5s8tj
  76. http://unmewpongo.com/1efk0h
  77. http://unmewpongo.com/3hnjxq36
  78. http://unstytovar.com/0o0qep
  79. http://unstytovar.com/3e02h60v
  80. http://vlog24h.com/d4g3n
  81. http://voizplus.com/hscjhi
  82. http://vonsky.com/ez3q7k8
  83. http://wmunigeria.org/i0zgx
  84. http://zheng-du.com/hj8ky8c9
  85.  
  86. Malware:
  87. - encoded on download, filesize 151044 bytes
  88. 66476d0ac313a88a161ac1bbbc7253ded66dd668ebcef3374f8487e10212ac30 http___alexor.net_8kms9q
  89. daf62b49bcbe34d62816d3d0cc6d705c6d7c87203779743bd60cf11ebdeb5dee http___artpiked.com_1yzwrnh
  90. e4ba316bfbdd076007a1d027fa4e363fe930ecc43cfe982fb6ea7ff3f1d3ca33 http___artpiked.com_3r39f
  91. f809558478d18593514071f5ef09eb4d342701b086a563e73d7e6b7042ed4be4 http___birdemetresim.com_zdqmue
  92. c1844af4b99db7490ea6c0355c0222cfaa04e49e200fe6b0c88c3ccaa9309259 http___cast4all.com_gvm3k2
  93. 4796df587e3d66a3d1c4cac0dcb9111191201e98b2a66274e86100b243e68e67 http___digital-print.ru_xnq6ds
  94. 52fce994c8c42c4bab01177d920a68298fb9a85ba0766c34c8b3e8f2afb30757 http___easyfo.net_pft0xk0u
  95. a082c474030849216868a90f4ecc1907a8c7315c0ce02d54e3a4c7c318ffad10 http___extramileteam.com_fvjo7o
  96. bd6079d69d7f7e34cb273f7c8dda6ed2068401e70cb16b3c1089d63ed9e982dc http___faadn.com_l14mq
  97. 9442c53a477a095c1c7538e2229e4ae7e8febc205064027585b3c7cbfb162c3c http___fedstone.ru_b04bwkf
  98. 3d550060d0e49f9b4ea4bd6a952fbc7c50e3f6381657e8f2e1bf019f08757911 http___fungasoap.net_crq2th [1] 9cb212b44dd5849d5f0fe738019f7fcba99babcb927f7b5afb263202076a4322 http___genelev.net_925y05n
  99. 21d18d5d299444e976c42cb3e0ca04b7404f7538005aecf2aa99ca7b6ba6f7f2 http___gold-insurance.com_xv3ebctc
  100. 06a727617ca86498c016efb74976390787ccd923f51db63ce0ddd79bb1be4dc3 http___greenshootmedia.com_dcenlt
  101. adc450f69560f1cbbb20de5fdd876ed8d6a81d5202d2466f45e784d6c1b729b4 http___hentai.tc_53a0snpy
  102. 5cd5bd3a11282557167c8f63380f6f103f65ae868b7c93ce06886fbb164f6e55 http___hlh.sk_pbd756z
  103. 25125ffa2a0a74c2a17697984eb79cae481eb78d7dd740a3f1882f0ddb439e34 http___hotelikbej.pl_ild3ha8
  104. e1a8e6abbb0c7e7c14dc9c2cd36d2c819d08f357c73cf7308b3869ff9de8bcdf http___hotelsforsaleinspain.com_29woa6s
  105. 2a97cb1fbd785e01880237365a3f82c54514dbba47829532eb66416e42c45275 http___hunt-magazine.com_jape3
  106. e1a8e6abbb0c7e7c14dc9c2cd36d2c819d08f357c73cf7308b3869ff9de8bcdf http___hurrychufa.com_29woa6s
  107. aec0856c878446be8d8fa36e308adde509b6c1398254c7f8b2de1b59f4e9934a http___hurrychufa.com_4kspi [2]
  108. 57d6b1b737957dd233cb681927cd54955d083d408e3004c638d137c8196a4202 http___iloveyf.com_jmt7ph
  109. 3f761a8e8fd9fe9f303b277538725055f253e46d722e0d4baeed033755b0499a http___inform-ug.ru_mqymhdx
  110. 560bea80e3aeb9f374c05c3dd87feeab4e03c246e59f6fd6938e99c5872f5e05 http___insta-follower.com_82p61t
  111. dc2fee9f06bd8fd78960dfb736f7102c229a82ab8eb034602ec12b2aef8dc535 http___judgedeborahshallcross.com_dm1e4e9j
  112. 5bcc5894812c7a4b0828f57f1333d1c2f72f9659eb73f47de10e2c19c84c9856 http___knaravan.org_d84k2p [6]
  113. 2b602294d369f4b506eb57ad0f2399c6cadc9ea155db1aee35dafb3db1a7074d http___limaxmesse.com_2qxsunng [5]
  114. 210139c9ead4c579a9ff3abe306d43761cd7fe79b31878eede527e327fc333ac http___limaxmesse.com_4lv41gpx
  115. bf5d4fc2654db350d40103ddaf85d0b848cb11208a5d7dc339ff7861cdee58db http___liteklighting.com_7w2lu3
  116. 34f76df4a7130869a3f1c06c5f2b198ff01d4aae6d069adbe98c2f6742124a16 http___lomtalay.com_gadfdv
  117. 1e0524fb565a6ce598532ce0d18b309c9fba55d40936786f4e36b2bace1b4dd6 http___metavial.com_i76w9lel
  118. b24c3dc137cc447e52d65bd831478e3d7d47c1b96b03d3c0f09ae6ff6fa77d87 http___mischiefexpeditions.asia_8ybs4j
  119. 4dece3a4c92ea5fe7d113ff946ba6ad6c8a8cb2ddf5626e233e932f0fde615a6 http___mospi.ru_53kn60wz
  120. 7b9d0c7fc01bbca65116ad32e4fac4b7cb5fc722f4ca1b33afea4e8e1febb146 http___musicbarpriatelia.sk_6210i9gk
  121. 6c9f0a44fa1d18d619902b5c094f1f0a8e65f24c6e64e6c4c7d4819ca87673ec http___nybeauty.com_8whuh6fw
  122. 0ca7fd4fe61c7225cf720c41f1f31377261cc7a3fa86c3edfbf0abc83785433a http___on-point.be_jce90dk9
  123. 65d804d2a40a65f1dd464cc1ab0630da694475766223792d6767cee70b1b3e7a http___paitano.com_xc17228k
  124. d378deb347633e4fb327f50fc5121bdd495b835f6d1711a5447b827aeb478386 http___prod23.ru_v451a3
  125. bc38efdc4b82c24bb867c2940ab1ccf78fec80394d37ef6595adc654905e063d http___rusdram.com.ua_aggfdu5q
  126. b4cd50de7c8ece948efac0c450d9aba48eb8a38c7bb9560ba919dea671fcee90 http___sarayutechnologies.com_gxa286yl
  127. 9fc35c926eae39e382be88350f06536d673ebe43a1908b2a607d16310c05dbf1 http___sobretesis.com_np59sp5b
  128. 65ee5bf4d163555199209b50e8f280220cff2091cb7487ef45d34cc13f2a05f4 http___social-jump.com_5fnwlc1m
  129. ffc438922ff09939be8c69e09d141d871092ce31f142939064a4bee2c21d5ea2 http___tarjetamedicapop.com_5zyp3yz
  130. ee7932fb7191a85448b0d1c487ccb032dff4d4b304815fe6793df22325a2477b http___teknidataconsultores.com_vy05sk
  131. fe841b2004bbdec8b3dc57b121421bfa2934192161db64b4342359b5847a926b http___thomasduncanwatt.com_q55vec
  132. e185c87490d66c7b8b243409a459b78e0da36a2d2750d61f364916da8cbb5a10 http___tpidbanjarmasin.org_g5r5s8tj
  133. f260f12dceedb247391c00ef103a19bdce1e5ad1bf1e668458e6d4cb1a094b9c http___unmewpongo.com_1efk0h [3]
  134. d657ecd2eb7544a802912d86d04389b5fd993ba36d4e22a9f2ea76c9f060ca43 http___unmewpongo.com_3hnjxq36
  135. 5c43f870709f1a06982b1455440f9a8718c2555415d9678b29bfdfd3bd095df8 http___unstytovar.com_0o0qep [4]
  136. fb172118df5abcb01c16f528cf54d2885773ec8499d9bb66f8b2fcceca8418f1 http___unstytovar.com_3e02h60v
  137. 53e795b640340c3da8e6b31326424f8fc4ed2c96e7d88bcf077a06cace283ad3 http___vlog24h.com_d4g3n
  138. 8ba03b869121eb02aa624ba1acda5154db947c172c3596303dbf5ab7bfa541ce http___voizplus.com_hscjhi
  139. 353c025141fbd613927de5139a098952a911be9c4be6ac20ccca0c6cafa8cf95 http___zheng-du.com_hj8ky8c9
  140. - decoded
  141. 8bd47b36fa74f67f17662caa85ce3ac4193f67d5e1a0e0b8dfe155a2da657327 [1]
  142. c0046bf12b8ed7d921e0bc1ab5dd7d357d5049dcf17291fc06e736bcb73bff09 [2]
  143. 9dfb16d702a8a30ea66ccbd83bf2004bac9e1c0bff85ce517a69929c60fc7145 [3]
  144. 046303c8070ab8ab8d8aa1e7fe11272701b99bc2c0322f17ffecd1da6a678542 [4]
  145. a189a341e0a533896e44692994d383389092b68b74766cc73a10668d8f6c9b8c [5]
  146. 42ab2f5735add484735c56bf2ec0a5448425462e25dad7a7d7882dd4c56d3606 [6]
  147. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
  148. - samples
  149. https://www.reverse.it/sample/3980891db0e525b7db5929a61dbc8f92836bfe6100a04bca29b9a795b15c8f08?environmentId=100
  150. https://www.reverse.it/sample/5d8e2bf901f3805ff081f9f975004f19ce24547e94cbb353b1eaaf9e4b565b5c?environmentId=100
  151. https://www.reverse.it/sample/28270143f7a4e227ba0bd74e308b169d0beff65c325591c4ba7d7987073c2265?environmentId=100
  152. https://www.reverse.it/sample/c75c1a6e78280d9f569437b34a4ec650eec81e3dd4a96be70d78fd9820665b7b?environmentId=100
  153. https://www.reverse.it/sample/88497d4abbbc5df2779e1de97cd1725837bab1b1ef2bdd21bbb3b6f421138a0f?environmentId=100
  154. https://www.reverse.it/sample/954c771a7f1be12930b1a0ae9df17cbd48a27d00499acc28145725306032266f?environmentId=100
  155. https://www.reverse.it/sample/478121d7c265ab85148505045f4f3ecc5b4801f3cd013a59bfedfab6be923a6d?environmentId=100
  156. https://www.reverse.it/sample/68de45a7219d3bbb1a7f603db793c28051fec23c525c2b4c2266a94b2039cf06?environmentId=100
  157. https://www.reverse.it/sample/a239a9b8f3932b9def37217c63264d95cf798d9d623016ae57a38f045be47b63?environmentId=100
  158. https://www.reverse.it/sample/aead96237afea6fb27a5355d016de618fa0db73840816e0b187d83bdb47a70dc?environmentId=100
  159. https://www.reverse.it/sample/126813715bce3b0e628e8c92d6eeb8203f401b624b867bbc42cbe466150e1aeb?environmentId=100
  160. https://www.reverse.it/sample/1d7b781c59374b5101809d7b1450576c88e88af209da864be450629ce6d853f9?environmentId=100
  161.  
  162. C2:
  163. POST 5.196.200.247:80/apache_handler.php
  164. POST 62.173.154.240:80/apache_handler.php
  165. POST uiwaupjktqbiwcxr.xyz:80/apache_handler.php [86.110.118.114]
  166. POST rflqjuckvwsvsxx.click:80/apache_handler.php [86.110.118.114]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!