API tools faq
paste
Racco42

2016-09-14 Locky "Account report"

Racco42
Sep 14th, 2016
1,673
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.78 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-14 #locky email phishing campaign "Account report"
  2.  
  3. Email:
  4. --------------------------------------------------------------------------------------------------
  5. From: "Robin Alexander" <Alexander.65879@centuritex.com.tw>
  6. To: [REDACTED]
  7. Subject: Account report
  8. Date: Wed, 14 Sep 2016 14:30:39 +0700
  9.  
  10. Dear [REDACTED], we have detected the cash over and short in your account.
  11.  
  12. Please see the attached copy of the report.
  13.  
  14. Best regards,
  15. Robin Alexander
  16. e-Bank Manager
  17.  
  18. Attachement: 5febbb95d9.zip
  19. --------------------------------------------------------------------------------------------------
  20. - sender name differs between emails <surname>.<number>@<domain>
  21. - subject is "Account report"
  22. - attachment <random hexa chars>.zip contains two identical files " Account report <random hexa chars>.wsf" and " Account report <random hexa chars> (copy).wsf" a JScript downloaders
  23.  
  24. Download sites:
  25. http://adzebury.com/hl4jon6s
  26. http://citmowra.in/103k7o
  27. http://ecadxyst.net/c47vp
  28. http://maydayen.net/l835ztl
  29. http://sparmsov.org/62737
  30. http://sternhala.com/c6wszjm
  31.  
  32. Malware
  33. - encoded on download, filesize 138879 bytes
  34. a1d75de5201690794a2dcdaa99863bb34b3b7f1213d3f00f464b81a7837fa2cd http___adzebury.com_hl4jon6s
  35. 03398121afc508eb102e8912b725cd974493664e26e3b05d2c48e2428076d65d http___citmowra.in_103k7o
  36. 29ea636a2cecba20cc4bb28d85be4ac17c8a9a84f2bf7c1a990ccb46371f3e75 http___ecadxyst.net_c47vp
  37. 7044061bca8a8f36d70689dd8472fc6a0516af5a9042b0c1ee047fdd8a89ccb8 http___maydayen.net_l835ztl
  38. c542d7fa873a5448ab84e932a94bbc3c895b16fab174b89e05c0affb8d3809e0 http___sparmsov.org_62737
  39. 628b82645b44a81b8d8df933070b2f22b788a4448ca5e7429dc43ecf1c2660ad http___sternhala.com_c6wszjm
  40. - decoded
  41. 3a04a4a134052f6e39924f05674a027c950cf56af326a63268ad60acc73e2420 http___citmowra.in_103k7o
  42. 467a4e6e5b4b78c27a404f737a6ed76d7b2ff084ba190bb56c276099570c9867 http___maydayen.net_l835ztl
  43. 9dbb9f97fc2112b516de2e7c88dfc0c082f914fe45ed1d51a2ea048e7398f2e9 http___ecadxyst.net_c47vp
  44. - executed by "rundll32.exe %TEMP%\EIILO9~1.DLL,qwerty 323"
  45.  
  46. https://www.reverse.it/sample/e1f615ce1f91b41c11b3cccae9b5a42c4501375a261972bc47c3b08e5a793d07?environmentId=100
  47. https://www.reverse.it/sample/79430e37f55f55bf54e543e72cd041e997802bac02c516db0740fa8d035e4f9b?environmentId=100
  48. https://www.reverse.it/sample/2742f15753fa8d2948e7c889fbf5a11533000f0eae17c137144c1401fe7ad850?environmentId=100
  49. https://www.reverse.it/sample/9ff6b6f74f21a4bc93f0fbc37e8bd527229c46f55c61c7c7f0bf40030562312f?environmentId=100
  50. https://www.reverse.it/sample/3fae7049746471e2098b72b900380a925a2e6852db5b6f40ea2230affad87b98?environmentId=100
  51. https://www.reverse.it/sample/35929eec83a3dc47e4b26584b8ab41eb119cd2e11df6f32f5adbc0260f61ae30?environmentId=100
  52.  
  53. C2:
  54. 51.255.105.2:80/data/info.php
  55. 95.85.29.208:80/data/info.php
  56. 91.226.92.213:80/data/info.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!