2019-09-19 Locky "<no subject>"

1. 2016-09-19 #locky email phishing campaign "<no subject>"
2.  
3. Email:
4. ------------------------------------------------------------------------------------------------
5. From: "Kimberly rob" <Kimberly.rob1@burquip.com>
6. To: [REDACTED]
7. Subject: <no subject>
8. Date: Mon, 19 Sep 2016 23:36:56 +0200
9.  
10. Attachement: 20160919233656532.zip
11. ------------------------------------------------------------------------------------------------
12. - subject is empty
13. - body is empty
14. - attached file 201609[19|20]<rando mnumber>.zip contains file <random upcase chars>.hta which contains JScript downloader
15.  
16. Download sites:
17. http://easyfo.net/56f2gsu782desf
18. http://elsoccer.org/56f2gsu782desf
19. http://gelecekdiyarbakirsigorta.com/56f2gsu782desf
20. http://hlh.sk/56f2gsu782desf
21. http://katiejepson.com/56f2gsu782desf
22. http://office-assistant.nl/56f2gsu782desf
23. http://pinkeyeevents.com/56f2gsu782desf
24. http://rancho.org/56f2gsu782desf
25. http://sbbsinfotech.com/56f2gsu782desf
26. http://schneebett.com/56f2gsu782desf
27. http://teknidataconsultores.com/56f2gsu782desf
28. http://trenddatainc.com/56f2gsu782desf
29. http://xn--41a.xn----8sbivjiocsggj.xn--p1ai/56f2gsu782desf
30.  
31. UPDATED:
32. http://birdemetresim.com/56f2gsu782desf
33. http://dl10testsite.com/56f2gsu782desf
34. http://forevergarmindo.com/56f2gsu782desf
35. http://gold-insurance.com/56f2gsu782desf
36. http://hunt-magazine.com/56f2gsu782desf
37. http://i-mdv.com/56f2gsu782desf
38. http://letees.co.uk/56f2gsu782desf
39. http://oilandgasukwireless.net/56f2gsu782desf
40. http://onushilon.org/56f2gsu782desf
41. http://prod23.ru/56f2gsu782desf
42. http://rennie-mackintosh-jewellery.co.uk/56f2gsu782desf
43. http://sexjogi.com/56f2gsu782desf
44. http://sobretesis.com/56f2gsu782desf
45. http://stellaar.com/56f2gsu782desf
46. http://stirlingblack.com/56f2gsu782desf
47. http://worldpennyjar.com/56f2gsu782desf
48.  
49. Malware
50. - encoded on download, SHA256 ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d, filesize 256512 bytes
51. - decoded SHA256 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e
52. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
53.  
54. https://www.reverse.it/sample/334596d89774bd2b1e22bdc499fe3463f4bcfb3b85ed8b245b0e12090ffd6272?environmentId=100
55. https://www.reverse.it/sample/a0be6cf54ae888de851205d25cbb91f5c24bf3af5422e2a8a1bf1f34dbf495b1?environmentId=100
56. https://www.reverse.it/sample/494559d75d2a1a3a9007b6f74dfe5cd033bcf85685e2c506fda34088e099d5f7?environmentId=100
57. https://www.reverse.it/sample/648fbbf3e406135d60b99fe06ece7e41bcaf7a2be953e9bf37d38e37d95e1169?environmentId=100
58. https://www.reverse.it/sample/a6ad8560aa4c0025dc5ce9207e3a85ab2aec13261d750f6ea1e1f5fd51147a49?environmentId=100
59.  
60. C2:
61. - no visible C2 communication