Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-21 #locky email phishing campaign "Spam mailout"
- Email sample:
- ---------------------------------------------------------------------------------------------------------------
- From: "Cara Thornton" <Thornton.Cara@viettel.vn>
- To: [REDACTED]
- Subject: Spam mailout
- Date: Mon, 21 Nov 2016 16:29:59 +0700
- Dear [REDACTED]
- We've been receiving spam mailout from your address recently.
- Contents and logging of such messages are in the attachment.
- Please look into it and contact us.
- Best Regards,
- Cara Thornton
- ISP Support
- Tel.: (420) 292-54-52
- Attachment: logs_[REDACTED].zip
- ---------------------------------------------------------------------------------------------------------------
- - sender address varies between emails
- - subject is "Spam mailout"
- - Attached file "logs_<recipient's name>.zip" contains file "<random upcase chars>-<random upcase chars>.js" a JScript donwloader
- Donwload sites:
- http://bilbords.com/ken5ac7tik
- http://charoenthanikhonkaen.com/jqqul9c
- http://cman8396.com/juahu6pm1
- http://decorvise.es/0jt98stidf
- http://eatfatlosefat.com/9fjexzzpr9
- http://ehaaranen.com/nnsvlljs
- http://fodgeslade.com/cey54bwgvf
- http://fodgeslade.com/mlrnp
- http://fodgeslade.com/oljtcw5p
- http://fodgeslade.com/viv34io
- http://gabrielconde.com.uy/r0zzg
- http://inchallahrencontre.net/yapj4lk8
- http://indiancatering.sg/y3cth
- http://iproaction.com/utg8md
- http://ivocal.fr/oxpj5ogs
- http://knutewhar.net/44zd4j
- http://knutewhar.net/uzu2vgi
- http://kodivac.com/f4zozhxw
- http://levinltd.com/yrcmcc8
- http://lexcellence.ru/rgu7pzr
- http://majesticimmo.com/b25okefjt
- http://mangetsudo.net/v1cle
- http://markand.ro/r10myprz
- http://mimatefacil.com/ppgfw
- http://moffia.nl/xepnvg
- http://naschlouey.net/cpjeie0
- http://naschlouey.net/fl7h5lk
- http://naschlouey.net/suigyo
- http://naschlouey.net/ykrsw
- http://naturalnazywnosc.pl/vqu9d76o
- http://nitay.com/mrepde
- http://POWER-LOGISTICS.NET/0ospd3pz5
- http://reiffen.info/fsahaq4s7
- http://sambaplack.com/crgnsx
- http://sambaplack.com/cvyeefv0y
- http://sambaplack.com/mkchoe0lx
- http://sambaplack.com/txroulckka
- http://serajeadine.ir/kia7ho30x
- http://tutmacli.com/fbd5f
- http://ulmicsulfa.net/fm32yz2
- http://ulmicsulfa.net/mhngaxy
- http://wpthemesense.com/pzzrrnqwaq
- http://www.kanm.cn/spm2u1vbu
- http://www.montostroj.eu/y5nxn8
- http://x-in.info/jsepbs
- Malware:
- - encoded on download, filesizes 137591 or 134411 bytes
- 7b557a79462a45cdaa235d1aa71340be911358ace2d8123462fcec9d0109cae1 http___bilbords.com_ken5ac7tik
- d631992c2d2b59fdf51bc8aa97681bd3c0d9669051f8ae11e4a2bcad2fd7c0ff http___charoenthanikhonkaen.com_jqqul9c
- 964af862aab8a276147c5b52d1e5451593aab4894816fe2c9e5de0194d6bc82f http___cman8396.com_juahu6pm1
- bd4029e7a6abf3b82d800240ad41ad02a256be0a5a73ea1a420b1f027400e8bb http___decorvise.es_0jt98stidf
- c5b5f56521219896dc647c1bd889d14f1fd39cf174844a81e9307f4d307cffd8 http___eatfatlosefat.com_9fjexzzpr9
- 29e35f09e652acc061ccafbb67d9e14589a3198a8b129884ce2ec56e3166c3da http___ehaaranen.com_nnsvlljs
- b368b397b24aa4ce2822af7d40e13d375c7d8ee17e39548882857914436ad7a5 http___fodgeslade.com_cey54bwgvf
- 8699fcc6dccdff02af3ff020ea4606e05965e9b7cb87e7a9a6568dba41f5afee http___fodgeslade.com_mlrnp [2]
- 4d9f66f77d55c64ef9c652fb72e166c00978c76c272a3280e0efb4e18f5788bb http___fodgeslade.com_oljtcw5p [5]
- ac221e4ac21d8cacb680e1fa12b50f41a1074aa6261af0db8fbeba3f4d3c8b27 http___fodgeslade.com_viv34io
- e46bd115661a4de2ae0c389ba813365a6a4d1c85e03c817539488d9132b6bc16 http___gabrielconde.com.uy_r0zzg
- f3a4c7a0cfa438d21d21e107dfca28cdb7cfe2120aaa32913afc95853e359f36 http___inchallahrencontre.net_yapj4lk8
- d0f4a3a5a410e63a59a93e51dddb4b75340d68bf66e4ae7960235f05024b1634 http___indiancatering.sg_y3cth
- 303a10e75f8b4d0b34627d9e885235ec5bac89004a09e90cac6851d1732a9e10 http___iproaction.com_utg8md
- e187ed6e7adf87434fdd3fe92c341ecdb20fb0ba31b96e2d2d45ce2545f0bd83 http___knutewhar.net_44zd4j
- d43008d668b288f3f63fb77a285ad68fa48bbafbc3933a43477e521742830ce6 http___knutewhar.net_uzu2vgi
- fac67e475248bcd175950241b450825ace88b6b63a452b7a7f1ce2fb16425b0c http___kodivac.com_f4zozhxw
- 626eb0a42bb119f47f13f451bb0e58aa8e4b3fb32eb3e317b6d1b7811ffdeee1 http___levinltd.com_yrcmcc8
- f57977f6cc84411938af921d23bcb1927395da4037697734f9c1555dc2e73a88 http___lexcellence.ru_rgu7pzr
- 99b4106fb762bd7f70d9031f714b11ca96558eb44e8131daa509e36de46fe122 http___majesticimmo.com_b25okefjt
- f469a27db83f486ff836ed02a18173f17b554d6fc24f35ac6ed71a1c0565371a http___mangetsudo.net_v1cle
- 145472dd5ea9d88766b2835e8cdd3c814e2a96146ee2213a0b26a8617af1eab1 http___markand.ro_r10myprz
- de8001768e97cee4d787acbf5317018390e005d6880b47f796d2268aec64cc65 http___mimatefacil.com_ppgfw
- cbaf3a54649f6b9c3b8a9596fa83c5fbf12274498ee99deca850c852851ec788 http___naschlouey.net_cpjeie0 [1]
- 878195e3d7e59e623ea31aa83d0ab47c50ff1d6e23d85614ffab1daa038bf3fd http___naschlouey.net_fl7h5lk
- 48e5e2d48002b64d5b8e6c2696e587e890886e49acae1d9c68628ade6fb112dc http___naschlouey.net_suigyo
- 713c417b98c48bdaa7642a0d3e39f95d29c0a72f97bb10f7326ef8ccd5ff9f3d http___naschlouey.net_ykrsw [3]
- 274f39e8e38912f22ff80888347fdfb805f7ae681227314b8859948b62333c50 http___naturalnazywnosc.pl_vqu9d76o
- 00dff29b1117f932762cf57f82811f90b6729c245cdc52201dcc608d4eec3db4 http___nitay.com_mrepde
- cc40f2b59e90233d348b43d8b74043f717f6fbe612047348ac53531055da594a http___reiffen.info_fsahaq4s7
- 9e0d8d000a055b5247a24223f48db4e37bd87868618533a3bb49edbcf47d6ab0 http___sambaplack.com_crgnsx
- 52657564016bad475ed4911f092f69b50c779e24be1bc49b5d0282de196514be http___sambaplack.com_cvyeefv0y
- 675c75a0ddbb5782fefcf11bb23a123da0b41184e9782a205abd701360ed419e http___sambaplack.com_mkchoe0lx
- 23cae93dc65dd83306f7c52fd2675895b4e7825b35f0b87cb5c9d35268a76041 http___sambaplack.com_txroulckka [4]
- 26985069311db3fcf68de686482593262a6a5225e9cb3d2fdca8b26d187087b3 http___serajeadine.ir_kia7ho30x
- 4e8fa40da257e5fdf9f8a637f871f649948b3cc125aaf7bfff717513c82ffd84 http___tutmacli.com_fbd5f
- 25fad38fb7fd39f0b475517c4e4f8d15e91ac9fbfd1c1a338537ea52db8e8f41 http___ulmicsulfa.net_fm32yz2
- a8bbf5b80c3d39dc2f13e200586f2e16a6f52513fe92ab7969e0479d01259f13 http___ulmicsulfa.net_mhngaxy
- 3c6598cfcbeee6cfa54e4567a590ddf9bc2d6e47e88d000f0bcb8df531019d6f http___wpthemesense.com_pzzrrnqwaq
- adb31cea84bf449c787cfdaa50a2f5a4b851a7d18b551f8f9c150f514590b29c http___www.kanm.cn_spm2u1vbu
- dc922d135436d5eca99d071d7e6be88ff0cace8701d31e10ca3ab6ac5f537987 http___www.montostroj.eu_y5nxn8
- c446d918b1d8a8ca2daa73d49dce124b98442c859f7c0497e40a07297fbbd2dd http___x-in.info_jsepbs
- - decoded
- b84d7289330a57804b33090433bfb42e52be35dec527041ab9be803486795930 [1]
- b0d228b009c063c36e457faeb38b97949ffb55036298b320edc3c0568a63bbf0 [2]
- c9986f301ca8c15f603e79a31f90869bcf8a72a7ed808ba1e6c448b4dd25c1cc [3]
- 1da658403f29006b4924664f42702e60b90f87248fc1c3df083934ff133fec9e [4]
- cad34ddd255303256bb8696a22d5c2637c9c7480d629bb0b6d8e6add0142c9c8 [5]
- - executed by "rundll32 %TEMP%\<dll_name>,jWo7sg8u"
- C2:
- POST http://213.32.66.16/information.cgi
- POST http://46.8.29.175/information.cgi
- POST http://91.219.28.51/information.cgi
- POST http://bpffhepfv.pw/information.cgi
- POST http://cpgheav.work/information.cgi
- POST http://gftvhepya.xyz/information.cgi
- POST http://jxvmquqrmtdgjvs.ru/information.cgi
- POST http://lkrfwyfeenk.org/information.cgi
- POST http://mmuipquvpjccb.pw/information.cgi
- POST http://qxdkochghvf.work/information.cgi
- POST http://scbnepyudgkm.click/information.cgi
- POST http://stbxokqmd.su/information.cgi
- POST http://uuvuhqhnwnpdy.org/information.cgi
- POST http://xnbhfxgcikjxfm.click/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement