API tools faq
paste
Racco42

2016-11-07 Locky "Financial documents"

Racco42
Nov 8th, 2016
1,379
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.17 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-07 #locky email phishing campaign "Financial documents"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------
  5. From: "Latoya Contreras" <Contreras1918@airtel.in>
  6. To: [REDACTED]
  7. Subject: Financial documents
  8. Date: Mon, 07 Nov 2016 16:08:14 +0530
  9.  
  10. Hi [REDACTED]
  11.  
  12. These financial documents need to be uploaded on the system.
  13. Please let me know if you experience any technical problems.
  14.  
  15. Best Wishes,
  16. Latoya Contreras
  17.  
  18. Attachment: fin_docs_bdba78f9c.zip
  19. -----------------------------------------------------------------------------------------------------
  20. - sender varies between email
  21. - subject is "Financial documents"
  22. - attached file "fin_docs_<random hexa chars>.zip" contains file "NRV_<random chars>_.vbs", a VBScript downloader
  23.  
  24. Download sites:
  25. http://alrawfed.com/u53nj
  26. http://ayulduz.biz/nksb00
  27. http://bechsautomobiler.dk/m8idi9j
  28. http://birthdaystoday.net/o8zz7nc1
  29. http://coachatelier.nl/lg8s2
  30. http://debki-klara.pl/twn3gbf2
  31. http://decactus.cl/ns5am
  32. http://desertkingwaterproofing.com/ma4562
  33. http://edu-net.ro/u5riv3x
  34. http://esustentables.com.ar/ag9phlz
  35. http://evogelbacher.de/j1x577ka
  36. http://filmsites.nl/k6vbr
  37. http://halerblot.com/08pqc
  38. http://halerblot.com/3rbsn9n
  39. http://halerblot.com/22eorv
  40. http://loterotal.net/1yxbd
  41. http://owkcon.com/1nu7n
  42. http://owkcon.com/6xgohg6i
  43. http://panselunel.net/7b3kmm
  44. http://zapashydro.net/4b5aii
  45. http://zapashydro.net/6sgto2bd
  46.  
  47. halerblot.com/6fdvcoy 9a7d5818a5d2b85f3ee402f138fd6dc097ebf6787cae111513a022c204ce5b34
  48.  
  49. Malware:
  50. - NOT encoded on download:
  51. fc76d93c55514257070b81380d7bcaa1061dab62afe8067a9b9c124d56e1b9ef http___alrawfed.com_u53nj
  52. a6c5eea1a5c09aae396abf86ddf591e790919a76152059fd3a5fabd31aceb140 http___ayulduz.biz_nksb00
  53. 8302a35268f3a0dbcb82652393ccda987e210f0b8deb80ca72655137db7af810 http___birthdaystoday.net_o8zz7nc1
  54. e9164e04f50b37ecb0d1aae6474c3c5eba04a8918cfda8a73ad1e825f9217361 http___coachatelier.nl_lg8s2
  55. 889f60ca7d5c0c4a46d281257948248de451c5e67504115e26bbe056c09ee7d6 http___debki-klara.pl_twn3gbf2
  56. 300bb01d860cbff0a0fdc4b2c64f2e374e2957a54bc5215312e6987d856386f2 http___decactus.cl_ns5am
  57. e2e1b0f91ce175bdf72136468bbd95443ca9ecd9352a445067a7a3aaa0ee7db1 http___desertkingwaterproofing.com_ma4562
  58. 9388bf5c2a1ac690cf725970d96f650b1b4efd5486184ccb51358db97550e7f2 http___edu-net.ro_u5riv3x
  59. 5b3318da318976219267449b3327c26f14b41b13d3e893c93b416b7c7d0de52d http___esustentables.com.ar_ag9phlz
  60. 388fdbefff505111150094016af1f58c67746b34d4ea3a8bb64ba4936af50f4f http___evogelbacher.de_j1x577ka
  61. 1e0bfde4c8de5326e33ce6ea388d68779a299176d945b441138ef24cc9eaf32d http___filmsites.nl_k6vbr
  62. cfe0710b2821cf27cfc2b4830f5f03afbdc475c7471c738d5547188ead6a6ab6 http___halerblot.com_08pqc
  63. 3e283539f0d9f6c6d8bad43167b17666753c04962a7eb14049909fb83d5baa82 http___halerblot.com_3rbsn9n
  64. b1e0726a463b41acf30f2ebbfddf323c1bca7bcd2036adf9621d564c6ec015db http___halerblot.com_22eorv
  65. 34cd0b6866d177e48f6332b19046bd31d078503fded88b3c9bc35f18a2721fc8 http___loterotal.net_1yxbd
  66. 607e18ebbd3804a1f05e88ef77b27dd0cc93a14e267281b7477d8e463f8e1b8a http___owkcon.com_1nu7n
  67. ace8009733fe7811c47b596f8e8d790aa12d0b3694b44513757a157ddd5fe22a http___owkcon.com_6xgohg6i
  68. 07a8dc907498ff956d00347c671d93ba283c4bb58c49ae004cc04964692e2331 http___panselunel.net_7b3kmm
  69. 8bdc88ed893c41aded63e3699ce04c301ea5d326781fb6d50c10262bf7465ce1 http___zapashydro.net_4b5aii
  70. fdcf38c65c2f0e1c58389b9dfe683a31befcec6a7cb579e3aa6eff18e3dd98d2 http___zapashydro.net_6sgto2bd
  71.  
  72. - executed by "rundll32.exe %TEMP%\<dll_name>,bbb 417"
  73. - samples:
  74. https://www.reverse.it/sample/35bb3fea04e2cb4bada0a29a91d27a1ee457a0a7eb9a9f033a597401416d1959?environmentId=100
  75. https://www.reverse.it/sample/130e0a3022e1470dcc0cd3b34638c072fdeb58c05acc528406ebb09057e89554?environmentId=100
  76. https://www.reverse.it/sample/defd12e12d33b93780ae777ee0bf56a8d74185fea06844965624dd66dadb520b?environmentId=100
  77.  
  78. C2:
  79. 185.67.0.102:80 POST /message.php
  80. 188.65.211.181:80 POST /message.php
  81. 195.123.211.229:80 POST /message.php
  82.  
  83. akufldsjlcyntbtq.biz
  84. cscdomk.ru
  85. drpmfxqqhhe.work
  86. fwyecrapmwiescamb.info
  87. gowcifwxytc.biz
  88. kcjgdxep.pw
  89. pdqgefjnekpydy.su
  90. rqppmufvesfrs.org
  91. sfsljbulrimpk.su
  92. thexaiugfckdpdr.ru
  93. xcvrhfingmenyt.su
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!