API tools faq
paste
Advertisement
Racco42

Locky "Suspected Purchases"

Racco42
Sep 6th, 2016
1,838
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.43 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-06 #locky email phishing campaign "Suspected Purchases"
  2.  
  3. Email sample (sender address varies)
  4. -----------------------------------------------------------------------------------------------
  5. From: "Angelica Brewer"
  6. To: [REDACTED]
  7. Subject: Suspected Purchases
  8.  
  9. Dear [REDACTED],
  10.  
  11. We have suspected irregular purchases from the company's account.
  12. Please take a look at the attached account balance to see the purchase history.
  13.  
  14.  
  15. Best Regards,
  16. Angelica Brewer
  17. Support Manager
  18. ----------------------------------------------------------------------------------------------
  19. Attached file "<random_hexachars>.zip" contains 2 identical files "FAAD4310 Suspected_Purchases_PDF.js" and "FAAD4310 Suspected_Purchases_PDF - 1.js"; a JScript donwloaders
  20.  
  21. Download sites:
  22. http://canonsupervideo4k.ws/2sye3alf
  23. http://darkestzone2.wang/32rdw52w
  24. http://donttouchmybaseline.ws/89rwr
  25. http://listofbuyersus.co.in/jy5fkrp
  26. http://onlybest76.xyz/pkaiqr9
  27. http://tradesmartcoin.xyz/rwevvv3a
  28. http://videoconvertermac.in/t8qmxptm
  29. http://virmalw.name/uw2vyhpd
  30.  
  31. Malware encoded on download, filesize 166,404 bytes
  32. e3527c5883bdac9d5556667cdbf409f577b9eadda42e4300f2bd9db2293f753e http___canonsupervideo4k.ws_2sye3alf
  33. 3704944218259b9f0ac89ed7c408c426cb69f6dc66f8b8db1eec5d3d7741fcc0 http___darkestzone2.wang_32rdw52w
  34. dec2186e662576b9d0fea534e02aef21e645ab4e97bee27a69d4daca56b3d733 http___donttouchmybaseline.ws_89rwr
  35. 06cb691f03d72984ae06f005700af6712930d082b9bfe7c253c4212437a526c0 http___tradesmartcoin.xyz_rwevvv3a
  36. f56e3155b640b83ba0243018b5d0247535a0451bce58ead35b72a53f5a37c9df http___virmalw.name_uw2vyhpd
  37.  
  38. https://www.reverse.it/sample/54f736984e67684355e23b711982e21e9a0911cc552b24d4d8deac191706eb9d?environmentId=100
  39. https://www.reverse.it/sample/993159d036589d18b0bdb4e3de2dbd2c1f94ccfe58280dcc1ac736b80409fcf9?environmentId=100
  40. https://www.reverse.it/sample/480a45cbcd693474cb128c2b4552b40453dc4b5fe8002bf49968197a3bcfb735?environmentId=100
  41. https://www.reverse.it/sample/5ffda2e7ddae7503d56a53980ef0c3b0574eff9322d219dba484e93303dfe4e9?environmentId=100
  42. https://www.reverse.it/sample/ebd957bff116879685fd77ae6feaac53c1987c201b1604e831607f177cbb72e7?environmentId=100
  43.  
  44. executed by "rundll32.exe %TEMP%\xxxxxxx.DLL,qwerty 323"
  45.  
  46. C2:
  47. 85.154.15.150:80/data/info.php
  48. 185.162.8.101:80/data/info.php
  49. 91.211.119.71:80/data/info.php
  50. 158.255.6.109:80/data/info.php
  51. gsejeeshdkraota.org/data/info.php [188.120.232.55]
  52. mvvdhnix.biz/data/info.php [52.0.217.44]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!