Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-06 #locky email phishing campaign "Invoice INV0000xxxxx"
- Email:
- --------------------------------------------------------------------------------------------
- From: "Willy aikman" <Willy38@perita.nl>
- To: [REDACTED]
- Subject: Invoice INV000073388
- Date: Tue, 06 Sep 2016 19:54:13 +0700
- Please find our invoice attached.
- Attachment: Invoice_INV000073388.zip
- --------------------------------------------------------------------------------------------
- - sender varies
- - subject is "Invoice INV0000<number>"
- - attached file "Invoice INV0000<number>.zip" corresponds to subject
- - attached file contains file "<random chars>.wsf" containing a JScript downloader
- Download sites (actual URLs contain suffix ?<random>=<random> which does not influence download)
- http://209.41.183.242/j8fn3rg3
- http://alians-ekb.ru/j8fn3rg3
- http://andante-co.jp/j8fn3rg3
- http://andreas414.republika.pl/j8fn3rg3
- http://around4percent.web.fc2.com/j8fn3rg3
- http://bostoncittyregenerww.com/js/j8fn3rg3
- http://bushman-rest.com/j8fn3rg3
- http://cmacos.com/j8fn3rg3
- http://dashman.web.fc2.com/j8fn3rg3
- http://fidelitas.heimat.eu/j8fn3rg3
- http://gam-e20.it/j8fn3rg3
- http://hotelimperium.go.ro/j8fn3rg3
- http://josemedina.com/j8fn3rg3
- http://kreativmanagement.homepage.t-online.de/j8fn3rg3
- http://lacomete52.perso.sfr.fr/j8fn3rg3
- http://lalarabbit.web.fc2.com/j8fn3rg3
- http://marcotormento.de/j8fn3rg3
- http://michik.web.fc2.com/j8fn3rg3
- http://mixup0813.web.fc2.com/j8fn3rg3
- http://ngenge.web.fc2.com/j8fn3rg3
- http://onlineportal-2012.de/j8fn3rg3
- http://pea5.cba.pl/j8fn3rg3
- http://portadeenrolar.ind.br/j8fn3rg3
- http://qualityacoustic.comcastbiz.net/j8fn3rg3
- http://rosivani.go.ro/j8fn3rg3
- http://sebangou8.xxxxxxxx.jp/j8fn3rg3
- http://sitio655.vtrbandaancha.net/j8fn3rg3
- http://sp-moto.ru/j8fn3rg3
- http://tst-technik.de/j8fn3rg3
- http://unimet.tmhandel.com/j8fn3rg3
- http://w8kvpd5ib.homepage.t-online.de/j8fn3rg3
- http://wccf.huuryuu.com/j8fn3rg3
- http://wolffram.homepage.t-online.de/j8fn3rg3
- http://www.aldesco.it/j8fn3rg3
- http://www.alpstaxi.co.jp/j8fn3rg3
- http://www.association-julescatoire.fr/j8fn3rg3
- http://www.auret.at/j8fn3rg3
- http://www.beniculturali.org/j8fn3rg3
- http://www.bytove.jadro.szm.com/j8fn3rg3
- http://www.ccnprodusenaturiste.home.ro/j8fn3rg3
- http://www.cmg-ingegneria.it/j8fn3rg3
- http://www.coropeppinumereu.it/j8fn3rg3
- http://www.facturi.go.ro/j8fn3rg3
- http://www.folkjuannepiu.it/j8fn3rg3
- http://www.fpizzuto.eu/j8fn3rg3
- http://www.gengokk.co.jp/j8fn3rg3
- http://www.hestia-bewindvoering.nl/j8fn3rg3
- http://www.hung-guan.com.tw/j8fn3rg3
- http://www.keramikobjekt.de/j8fn3rg3
- http://www.laribalta.org/j8fn3rg3
- http://www.lindenkapelle.de/j8fn3rg3
- http://www.lnowak.tkdami.net/j8fn3rg3
- http://www.mikeg7hen.talktalk.net/j8fn3rg3
- http://www.montegelato.it/j8fn3rg3
- http://www.oltransservice.org/j8fn3rg3
- http://www.one-clap.jp/j8fn3rg3
- http://www.parrucchieriagiacomo.com/j8fn3rg3
- http://www.peritiassicurativi.org/j8fn3rg3
- http://www.pittorf.de/j8fn3rg3
- http://www.planet-auto.go.ro/j8fn3rg3
- http://www.plumbntile.talktalk.net/j8fn3rg3
- http://www.porchettadicolledara.com/j8fn3rg3
- http://www.radicegioielli.com/j8fn3rg3
- http://www.roboticapc.com/j8fn3rg3
- http://www.sieas.com/j8fn3rg3
- http://www.spiritueelcentrumaum.net/j8fn3rg3
- http://www.texelvakantiehuisje.nl/j8fn3rg3
- http://www.threshold-online.co.uk/j8fn3rg3
- http://www.vanetti.it/j8fn3rg3
- http://www.vilastefania.go.ro/j8fn3rg3
- http://www.wellworx.de/j8fn3rg3
- http://www.whitakerpd.co.uk/j8fn3rg3
- http://www.xolod-teplo.ru/j8fn3rg3
- http://zse2.pl/j8fn3rg3
- http://zui9reica.web.fc2.com/j8fn3rg3
- Malware:
- - encoded on download, SHA256 b09fd941cf46fe994af6b88856969b860ab666dedfe198db4ff1ac49b788a870, filesize 76288 bytes
- - decoded SHA256 adc7cc912bd255e17431ead2dfa592f3176ddfa72cdc84cd3b78ab87f5a3f12d
- https://www.reverse.it/sample/40cfb75451d3c878c0d19de31f8ab29146cc3b17ee0ad1e8bea61d022f94abcf?environmentId=100
Add Comment
Please, Sign In to add comment