Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-19 #locky email phishing campaign "<no subject>"
- Email:
- ------------------------------------------------------------------------------------------------
- From: "Kimberly rob" <Kimberly.rob1@burquip.com>
- To: [REDACTED]
- Subject: <no subject>
- Date: Mon, 19 Sep 2016 23:36:56 +0200
- Attachement: 20160919233656532.zip
- ------------------------------------------------------------------------------------------------
- - subject is empty
- - body is empty
- - attached file 201609[19|20]<rando mnumber>.zip contains file <random upcase chars>.hta which contains JScript downloader
- Download sites:
- http://easyfo.net/56f2gsu782desf
- http://elsoccer.org/56f2gsu782desf
- http://gelecekdiyarbakirsigorta.com/56f2gsu782desf
- http://hlh.sk/56f2gsu782desf
- http://katiejepson.com/56f2gsu782desf
- http://office-assistant.nl/56f2gsu782desf
- http://pinkeyeevents.com/56f2gsu782desf
- http://rancho.org/56f2gsu782desf
- http://sbbsinfotech.com/56f2gsu782desf
- http://schneebett.com/56f2gsu782desf
- http://teknidataconsultores.com/56f2gsu782desf
- http://trenddatainc.com/56f2gsu782desf
- http://xn--41a.xn----8sbivjiocsggj.xn--p1ai/56f2gsu782desf
- UPDATED:
- http://birdemetresim.com/56f2gsu782desf
- http://dl10testsite.com/56f2gsu782desf
- http://forevergarmindo.com/56f2gsu782desf
- http://gold-insurance.com/56f2gsu782desf
- http://hunt-magazine.com/56f2gsu782desf
- http://i-mdv.com/56f2gsu782desf
- http://letees.co.uk/56f2gsu782desf
- http://oilandgasukwireless.net/56f2gsu782desf
- http://onushilon.org/56f2gsu782desf
- http://prod23.ru/56f2gsu782desf
- http://rennie-mackintosh-jewellery.co.uk/56f2gsu782desf
- http://sexjogi.com/56f2gsu782desf
- http://sobretesis.com/56f2gsu782desf
- http://stellaar.com/56f2gsu782desf
- http://stirlingblack.com/56f2gsu782desf
- http://worldpennyjar.com/56f2gsu782desf
- Malware
- - encoded on download, SHA256 ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d, filesize 256512 bytes
- - decoded SHA256 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- https://www.reverse.it/sample/334596d89774bd2b1e22bdc499fe3463f4bcfb3b85ed8b245b0e12090ffd6272?environmentId=100
- https://www.reverse.it/sample/a0be6cf54ae888de851205d25cbb91f5c24bf3af5422e2a8a1bf1f34dbf495b1?environmentId=100
- https://www.reverse.it/sample/494559d75d2a1a3a9007b6f74dfe5cd033bcf85685e2c506fda34088e099d5f7?environmentId=100
- https://www.reverse.it/sample/648fbbf3e406135d60b99fe06ece7e41bcaf7a2be953e9bf37d38e37d95e1169?environmentId=100
- https://www.reverse.it/sample/a6ad8560aa4c0025dc5ce9207e3a85ab2aec13261d750f6ea1e1f5fd51147a49?environmentId=100
- C2:
- - no visible C2 communication
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement