API tools faq
paste
Racco42

2016-10-03 Locky "Rechnung xxxx-xxxxx"

Racco42
Oct 3rd, 2016
1,608
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.04 KB | None | 0 0
raw download clone embed print report
  1. 2106-10-03 #locky email phishing camapign "Rechnung xxxx-xxxxx"
  2.  
  3. Email:
  4. -------------------------------------------------------------------------------------------------------------------
  5. From: mpsmobile GmbH <info53@mpsmobile.de>
  6. To: [REDACTED]
  7. Subject: Rechnung 2035-0800613
  8. Date: Mon, 03 Oct 2016 13:58:39 +0530
  9.  
  10. Sehr geehrte Damen und Herren,
  11.  
  12. anbei erhalten Sie das Dokument 'Rechnung 2035-0800613' im XLS-Format. Um es betrachten und ausdrucken zu konnen, ist der Mic
  13. rosoft Excel erforderlich. Diesen konnen Sie sich kostenlos in der aktuellen Version aus dem Internet installieren.
  14.  
  15. Mit freundlichen Grussen
  16. mpsmobile Team
  17. ___________________________________
  18.  
  19. Dear Ladies and Gentlemen,
  20.  
  21. please find attached document ''Rechnung 2035-0800613' im XLS-Format. To view and print these forms, you need the Microsoft Excel, which can be downloaded on the Internet free of charge.
  22.  
  23. Best regards
  24. mpsmobile GmbH
  25.  
  26. mpsmobile GmbH
  27. Bruhlstrasse 42
  28. 88416 Ochsenhausen
  29. Tel: +49 7352 923 23 0
  30. Fax: +49 7352 923 23-29
  31. Email: info@mpsmobile.de
  32. Handelsregister Amstgericht ULM HRB 727290
  33. Sitz der Gesellschaft: Ochsenhausen
  34. UStIDNr: DE 281079008
  35.  
  36. Diese E-Mail enthalt vertrauliche und/oder rechtlich geschutzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtumlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
  37.  
  38. Attachement: 7679_Rechnung_2035-0800613_20161003.xls
  39. -------------------------------------------------------------------------------------------------------------------
  40. - sender varies, but is always "mpsmobile GmbH" email address info<random_number>@mpsmobile.de
  41. - subject is "Rechnung <4 numbers>-<4-7 numbers>
  42. - attached file "<4 numbers>_Rechnung_<4 numbers>-<4-7 numbers>_20161003.xls" is a Microsoft Excel files with malicious macros that will download malware from:
  43.  
  44. Download sites:
  45. http://acaciainvest.ro/jhg45s
  46. http://alraysa.com/jhg45s
  47. http://bluewaterappco.com/jhg45s
  48. http://cedrussauna.com/jhg45s
  49. http://crossroadspd.com/jhg45s
  50. http://denvertracy.com/jhg45s
  51. http://dickenshandchimes.com/jhg45s
  52. http://far-infraredsaunas.com/jhg45s
  53. http://gcandcbuilderssite.aaomg.com/jhg45s
  54. http://hostmyimage.biz/jhg45s
  55. http://inmopromo.com/jhg45s
  56. http://mmm2.aaomg.com/jhg45s
  57. http://monkeysdragon.net/jhg45s
  58. http://parkerneem.com/jhg45s
  59. http://tsukasagiku.com/jhg45s
  60. http://villadiana.lv/jhg45s
  61.  
  62. UPDATED:
  63. http://antiquescollectablesandjuststuff.com/jhg45s
  64. http://atronis.com/jhg45s
  65. http://boservice.info/jhg45s
  66. http://catlong.com/jhg45s
  67. http://craftsreviews.com/jhg45s
  68. http://golfnauvoo.com/jhg45s
  69. http://new2.aaomg.com/jhg45s
  70. http://orhangazitur.com/jhg45s
  71. http://test.cedrussauna.net/jhg45s
  72.  
  73. UPDATED:
  74. http://anthonycarducci.lawyerpublicity.com/jhg45s
  75. http://nonprofitbenefit.com/jhg45s
  76. http://parkerneem.com/jhg45s
  77. http://softwaregolower.com/jhg45s
  78.  
  79. UPDATED:
  80. http://denvertracy.com/jhg45s
  81. http://hostmyimage.biz/jhg45s
  82. http://webhost911.com/jhg45s
  83.  
  84. UPDATED:
  85. http://acaciainvest.ro/jhg45s
  86. http://alraysa.com/jhg45s
  87. http://msurf.net/jhg45s
  88.  
  89.  
  90. Malware:
  91. - encoded on download, SHA256 add73fec10fbb1001e6e1c00b05c61396210bc1075a38fb3e0c2a3a9a05e0674, filesize 208896 bytes
  92. - decoded SHA256 8a8296877ee7c8df755204f98c5be0dad849ca74abe1b282f26314c769c1f68e
  93. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
  94. - samples
  95. https://www.reverse.it/sample/2103272020aacf5de2d7f86c95e47f8f53db6d6529ba5327b8e003d54c1f0120?environmentId=100
  96. https://www.reverse.it/sample/85ad1ea8f397e143095d702f8b85cd81a0e67c68ddccd8fda540589e3e617b03?environmentId=100
  97. https://www.reverse.it/sample/d8019bad39b242d52deae8f021d2df4c058e90262e99e8be1677343bed923624?environmentId=100
  98. https://www.reverse.it/sample/b5f99c5013ab1e3b3fd4e654ec69aaef5c5c7273c19eec26de1b65260b7f60fa?environmentId=100
  99. https://www.reverse.it/sample/39899e36043dd1197a286061e42e1bbcc314e06470f9c72b7879668a5b76e94a?environmentId=100
  100.  
  101. C2:
  102. POST 149.202.52.215:80/apache_handler.php
  103. POST 217.12.199.244:80/apache_handler.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!