SHARE
TWEET

2017-09-05 Locky "Invoice from Verizon"

Racco42 Sep 5th, 2017 (edited) 1,544 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-09-05: #locky email phishing campaign "Invoice INV-000xxx from Verizon"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------------
  5. From: Randall Wigert <messaging-service86@merak-knorr.com.ar>
  6. To: [REDACTED]
  7. Subject: Invoice INV-00061 from Verizon
  8. Date: Tue, 05 Sep 2017 14:14:25 +0700
  9.  
  10. Dear customer,
  11.  
  12. Here's invoice INV-00061 for USD 909.73.
  13.  
  14. The amount outstanding of USD 909.73 is due on 4 Sept 2017.
  15.  
  16. View your bill online: http://artdevinci.com/Invoice_INV-00090.7z
  17.  
  18. From your online bill you can print a PDF, export a CSV, or create a free login and view your outstanding bills.
  19.  
  20. If you have any questions, please let us know.
  21.  
  22. Thanks,
  23.  
  24. Randall Wigert
  25. Verizon Privacy Office
  26. 1300 I Street, NW
  27. Suite 400 West
  28. Washington, DC 20005
  29. Fax: 202-789-1432
  30.  
  31. Attachment: Invoice INV-00061.7z -> INV-000193.vbs
  32. -------------------------------------------------------------------------------------------------------------------------
  33. - sender is "messaging-service<digits>@<random domain>"
  34. - body is "Invoice INV-000<2-3 digirs> from Verizon"
  35. - body contain link that will download VBS downloader, same kind as the attached one
  36. - attached file "INV-000<2-3 digits>.7z" contains file "INV-000<2-3 digits>.vbs", a VBScript downloader which will download malware from one of the malware download sites:
  37.  
  38. Downloader download sites:
  39. http://adoption.tcs.org.sg/Invoice_INV-00090.7z
  40. http://artdevinci.com/Invoice_INV-00090.7z
  41. http://atlantik-ec.com/Invoice_INV-00090.7z
  42. http://bravomobiliario.com/Invoice_INV-00090.7z
  43. http://ciriledefrance.com/Invoice_INV-00090.7z
  44. http://daniellloyd.com/Invoice_INV-00090.7z
  45. http://dekritekunstenfotografie.nl/Invoice_INV-00090.7z
  46. http://dna-sequencing.org/Invoice_INV-00090.7z
  47. http://dynamicnoumea.com/Invoice_INV-00090.7z
  48. http://grande-flora.nl/Invoice_INV-00090.7z
  49. http://hepdesign.net/Invoice_INV-00090.7z
  50. http://muebleslacomoda.com/Invoice_INV-00090.7z
  51. http://viselaconstruccion.com/Invoice_INV-00090.7z
  52.  
  53. Malware download sites:
  54. http://agrourbis.com/876tYU6tg8e
  55. http://auto-ecolecoccinelle.com/876tYU6tg8e
  56. http://bjp.co.id/876tYU6tg8e
  57. http://callt.co.uk/876tYU6tg8e
  58. http://capedorato.com/876tYU6tg8e
  59. http://domani.grol.ru/876tYU6tg8e
  60. http://ferienwohnung-schitter.at/876tYU6tg8e
  61. http://finnigans.org.uk/876tYU6tg8e
  62. http://gclubrace.info/p66/876tYU6tg8e
  63. http://huismartens.be/876tYU6tg8e
  64. http://mistresspenny.co.uk/876tYU6tg8e
  65. http://msanchez.com.au/876tYU6tg8e
  66. http://naturofind.org/p66/876tYU6tg8e
  67. http://pamplonarecados.com/876tYU6tg8e
  68. http://pidara.nl/876tYU6tg8e
  69. http://rccartrailers.com/876tYU6tg8e
  70. http://software-unlimited.at/876tYU6tg8e
  71. http://technicolor-tes.org/876tYU6tg8e
  72.  
  73. Malware:
  74. - encoded on download, SHA256: 6acedd095ace83945ce0d5ab646c97087bf89db79a89e75258ae813a9ddeefb0, MD5: e75a801f7fd6d1fd4521e1ac87e6657b
  75. - decode by XORing with "bDWZT7cLuVBDjnhVGuShv9lzZHmD1laq"
  76. - decoded SHA256 b65048ade795961403fecee8a779a838fe6ebcd4f9c83d7fe6b7d24b877493e3, MD5: 13df2fb3b8625ec6691784b64d4337ab
  77. - VT: https://www.virustotal.com/file/b65048ade795961403fecee8a779a838fe6ebcd4f9c83d7fe6b7d24b877493e3/analysis/1504597240/
  78. - HA: https://www.reverse.it/sample/b65048ade795961403fecee8a779a838fe6ebcd4f9c83d7fe6b7d24b877493e3?environmentId=100
  79. - C2: POST 109.234.35.75/imageload.cgi
  80. - Extension: .lukitus
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top