SHARE
TWEET

2016-12-21 Locky "Bills"

Racco42 Dec 22nd, 2016 400 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-21: #locky email phishing campaign "Bills"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------------------
  5. From: JACQUELINE BAILLIE <jacqueline.baillie@ccomme.net>
  6. To: [REDACTED]
  7. Subject: Bills
  8. Date: Wed, 21 Dec 2016 13:10:08 -0300
  9.  
  10. Hi,
  11.  
  12. Please check the attached doc above.
  13.  
  14. Jacqueline
  15.  
  16. Attached: 677749022948_0001.docm
  17. ----------------------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Bills"
  20. - attached file "<12 digits>_0001.docm" is a Microsoft Word 2007+ file containing macro that will download malware:
  21.  
  22. Download sites:
  23. http://192.138.189.69/87gyub
  24. http://1maximus.ru/87gyub
  25. http://adminca.se/87gyub
  26. http://alaliengineering.net/87gyub
  27. http://aministudio.com/87gyub
  28. http://artlab.co.il/87gyub
  29. http://avenueresto.com/87gyub
  30. http://baraderoteinforma.com.ar/87gyub
  31. http://bilestone.ru/87gyub
  32. http://bluelunar.net/87gyub
  33. http://charlenelouw.co.za/87gyub
  34. http://corlouis.com/87gyub
  35. http://diemsolutions.com/87gyub
  36. http://eagleslearning.com/87gyub
  37. http://edunayok.org/87gyub
  38. http://elaissaoui.nl/87gyub
  39. http://esteknik.net/87gyub
  40. http://fallingspringrun.com/87gyub
  41. http://fondazioneprogenies.com/87gyub
  42. http://forstmog.de/87gyub
  43. http://frankfoeckler.de/87gyub
  44. http://friedensschlag.de/87gyub
  45. http://fsamson.com/87gyub
  46. http://gadgetdealz.net/87gyub
  47. http://gages-56.com/87gyub
  48. http://greatgoods2.bravepages.com/87gyub
  49. http://habets.info/87gyub
  50. http://handicraftmag.com/87gyub
  51. http://hid2s.com/87gyub
  52. http://hostalmilabi.com/87gyub
  53. http://hostingjoomla.be/87gyub
  54. http://householdanimals.50webs.com/87gyub
  55. http://housellaw.com/87gyub
  56. http://iachovski.com/87gyub
  57. http://inchallahrencontre.net/87gyub
  58. http://inzt.net/87gyub
  59. http://ipt.se/87gyub
  60. http://isriir.com/87gyub
  61. http://izmirisgb.com/87gyub
  62. http://janvanduikeren.com/87gyub
  63. http://jayacoat-industries.com.my/87gyub
  64. http://jiger.ru/87gyub
  65. http://kayju.com/87gyub
  66. http://keralavoter.com/87gyub
  67. http://kmwine.ge/87gyub
  68. http://knightsure.co.uk/87gyub
  69. http://kodivac.com/87gyub
  70. http://kungfumasterwang.com/87gyub
  71. http://ldagnes.pl/87gyub
  72. http://lijschool.com/87gyub
  73. http://macoinservicios.com/87gyub
  74. http://mass-appeal.com/87gyub
  75. http://minilab.ca/87gyub
  76. http://multielectricos.com/87gyub
  77. http://mysolosource.com/87gyub
  78. http://namecardcenter.net/87gyub
  79. http://nanomedilac.com/87gyub
  80. http://naturalcode-thailand.com/87gyub
  81. http://naughtypixelads.com/87gyub
  82. http://no1archeryandsports.ca/87gyub
  83. http://noisecontrols.com/87gyub
  84. http://noosnegah.com/87gyub
  85. http://paplanindustries.com/87gyub
  86. http://parentchildmothergoose.com/87gyub
  87. http://personalizedleatherbracelet.com/87gyub
  88. http://phayamengrai.chiangrai.doae.go.th/87gyub
  89. http://pozsgaiingatlan.hu/87gyub
  90. http://residencegardenia.it/87gyub
  91. http://revolutionarymom.com/87gyub
  92. http://samasamanehgroup.com/87gyub
  93. http://seolandia.pl/87gyub
  94. http://shouxinghg.com/87gyub
  95. http://speaklifegreetings.com/87gyub
  96. http://spk-bk.ru/87gyub
  97. http://spmoya-semya.ru/87gyub
  98. http://stav-reporter.ru/87gyub
  99. http://stuifmeelenstamper.be/87gyub
  100. http://taddboxers.com/87gyub
  101. http://tanz-trommeln.at/87gyub
  102. http://theservantsoflove.com/87gyub
  103. http://travelinsider.com.au/87gyub
  104. http://travicoperu.com/87gyub
  105. http://usedtextilemachinerylive.com/87gyub
  106. http://vmarzal.com/87gyub
  107. http://web4-magento.com/87gyub
  108. http://webplatter.com/87gyub
  109. http://www.azrodandclassic.com/87gyub
  110. http://www.genesisbilling.net/87gyub
  111. http://www.judo-hattingen.de/87gyub
  112. http://www.junaida.com/87gyub
  113. http://www.langeoog-meerleben.de/87gyub
  114. http://www.rencontreparis.org/87gyub
  115. http://www.tenji-guide.com/87gyub
  116. http://xfjt.org/87gyub
  117. http://yorkshire-pm.com/87gyub
  118.  
  119. Malware:
  120. - encoded on download SHA256 2974569356b5f22d79af8d0ed9efbdc20a9a4e8dd8831a84f9f6568bc5df3a5a, MD5 2a85c6d7673d685aa3d1d29b82f9b9ff
  121. - decoding (XOR) key: zuOBnhTXfSI4u0R2S24aaSauh99btOss
  122. - decoded SHA256 8e451a03d9abf4767b65bc06f2659db11ddeea2049f556191a3f5cd2ba6534e4, MD5 d4d8887e188d5dd86cb1f99d8c9912e5
  123. - executed by "rundll32.exe %TEMP%\<filename>.aza,pass"
  124. - sameple https://www.virustotal.com/file/8e451a03d9abf4767b65bc06f2659db11ddeea2049f556191a3f5cd2ba6534e4/analysis/1482396386/
  125.  
  126. C2:
  127. POST http://109.234.38.128/checkupdate
  128. POST http://176.121.14.95/checkupdate
  129. POST http://193.201.225.124/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top