Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-09-07: #locky email phishing campaign "Microsoft Store E-invoice for your order"
- Email sample:
- -----------------------------------------------------------------------------------------------------------
- From: Microsoft <do_not_reply@asia.microsoft.com>
- To: [REDACTED]
- Subject: Microsoft Store E-invoice for your order #7462959180
- Date: Thu, 07 Sep 2017 17:25:53 -0400
- Dear Customer,
- Thank you for shopping with Microsoft Store
- Please find attached or download your official Microsoft Store Invoice.
- Please retain a copy of this invoice for your records. Your Microsoft
- invoice may also be required to obtain warranty services.
- Thank you
- Microsoft Store 2017
- Attachment: MS_INV_6221.7z -> MS_INV_6746.vbs
- -----------------------------------------------------------------------------------------------------------
- - sender is "Microsoft <do_not_reply@[us|eu|asia].microsoft.com>"
- - subject is "Microsoft Store E-invoice for your order #<10 digits>"
- - body of the email contains link which will download another downloader like the one attached.
- - attached file "MS_INV_<4 digits>.7z" contains file "MS_INV_<4 digits>.vbs", a VBScript downloader which will download encode malware
- Downloader download sites:
- http://anloandy.co.uk/MS_INV_1046.7z
- http://arkberg-design.fi/MS_INV_1046.7z
- http://artesoba.be/MS_INV_1046.7z
- http://brianwells.net/MS_INV_1046.7z
- http://carpenteriemcm.com/MS_INV_1046.7z
- http://cer-torcy.com/MS_INV_1046.7z
- http://chorleystud.com/MS_INV_1046.7z
- http://crda-addenmali.org/MS_INV_1046.7z
- http://downstairsonfirst.com/MS_INV_1046.7z
- http://egdevcenter.com/MS_INV_1046.7z
- http://emailrinkodara.lt/MS_INV_1046.7z
- http://embutidosanezcar.com/MS_INV_1046.7z
- http://holmac.co.nz/MS_INV_1046.7z
- http://intelicalls.com/MS_INV_1046.7z
- http://jtpsolutions.com.au/MS_INV_1046.7z
- http://labkonstrukt.com/MS_INV_1046.7z
- http://lgmartinmd.com/MS_INV_1046.7z
- http://melospub.hu/MS_INV_1046.7z
- http://mercaropa.es/MS_INV_1046.7z
- http://mobimento.com/MS_INV_1046.7z
- http://mybarracuda.ca/MS_INV_1046.7z
- http://pacalik.net/MS_INV_1046.7z
- http://pahema.es/MS_INV_1046.7z
- http://peopleiknow.org/MS_INV_1046.7z
- http://pesonamas.co.id/MS_INV_1046.7z
- http://playitmore.com/MS_INV_1046.7z
- http://pmpimmobiliare.it/MS_INV_1046.7z
- http://promotamail.co.uk/MS_INV_1046.7z
- http://queerfilms.eu/MS_INV_1046.7z
- http://roadsendretreat.org/MS_INV_1046.7z
- http://robbie.ggc-bremen.de/MS_INV_1046.7z
- http://robsacks.com/MS_INV_1046.7z
- http://sambad.com.np/MS_INV_1046.7z
- http://sargut.biz/MS_INV_1046.7z
- http://schultedesign.de/MS_INV_1046.7z
- http://schwellenwertdaten.de/MS_INV_1046.7z
- http://shamanic-extracts.biz/MS_INV_1046.7z
- http://socalconsumerlawyers.com/MS_INV_1046.7z
- http://sonucbirebiregitim.com/MS_INV_1046.7z
- http://tbba.co.uk/MS_INV_1046.7z
- Malware download sites:
- http://aac-autoecole.com/3936jkgHGdcm
- http://activ-conduite.eu/3936jkgHGdcm
- http://autoecolecarnot.com/3936jkgHGdcm
- http://awholeblueworld.com/3936jkgHGdcm
- http://bit-chasers.com/3936jkgHGdcm
- http://blaeberrycabin.com/3936jkgHGdcm
- http://brandingforbuyout.com/3936jkgHGdcm
- http://dueeffepromotion.com/3936jkgHGdcm
- http://etforhartohat.info/af/3936jkgHGdcm
- http://geolearner.com/3936jkgHGdcm
- http://handhi.com/3936jkgHGdcm
- http://lagrangeglassandmirrorco.com/3936jkgHGdcm
- http://lp-usti.cz/3936jkgHGdcm
- http://montessibooks.com/3936jkgHGdcm
- http://multicolourflyers.co.uk/3936jkgHGdcm
- http://ostiavolleyclub.it/3936jkgHGdcm
- http://pack-lines.com/3936jkgHGdcm
- http://qxr33qxr.com/3936jkgHGdcm
- http://studiotoscanosrl.it/3936jkgHGdcm
- http://suncoastot.com/3936jkgHGdcm
- http://weekendjevliegen.nl/3936jkgHGdcm
- Malware:
- - locky ransowmare, lukitus variant
- - encoded on download SHA256: 3e1924867806778624d231df10928d4d4deef2b3f24de5505f624ddde7d33636, MD5: 63ed156f8d2efad83cb2d835c3575d16
- - decode by XORing with "ttXahvVnoAyxGwH7YyrZV3PphTR8lbYw"
- - decoded SHA256: 278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f, MD5: 7210b3a262d96b514d07abfe8d601390
- - VT: https://www.virustotal.com/en/file/278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f/analysis/1504818759/
- - HA: https://www.reverse.it/sample/278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f?environmentId=100
- - C2: POST http://185.67.2.156/imageload.cgi, http://46.148.20.53/imageload.cgi
- - config https://pastebin.com/Mg7vuDek, by @James_inthe_box
Add Comment
Please, Sign In to add comment