Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-21: #locky email phishing campaign "scanned copy"
- Email samples:
- -----------------------------------------------------------------------------------------------------------------------------
- From: "concetta ashbury" <concetta.ashbury@dag.gb.com>
- To: [REDACTED]
- Subject: scanned copy
- Date: Thu, 22 Dec 2016 12:30:54 +0530
- Attachment: EPSON000000076.zip -> XAD4A9AF.vbs
- -----------------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "scanned copy"
- - email body is empty
- - attached file "<HP|EPSON|CANON|BR>0000000<1-3 digits>.zip" contains file "<6-9 uppercase numbers and digits>.vbs"
- Download sites:
- http://023pc.cn/result
- http://123good.cn/result
- http://17tattoo.com/result
- http://902f.com/result
- http://acp-dom.ru/result
- http://aguamineralsantacruz.com.br/result
- http://airportrentacar.ro/result
- http://allard-g.be/result
- http://alsrv.ca/result
- http://aqua-inter.com/result
- http://aspecta-aso.net/result
- http://audehd.com/result
- http://axmetrix.com/result
- http://bastacycling.com/result
- http://benelist.cz/result
- http://blackseo.ir/result
- http://boyni.ru/result
- http://canbal.net/result
- http://cdsp.pl/result
- http://cherry-pik.com/result
- http://chmk.ca/result
- http://cltserve.org/result
- http://conor.com.mx/result
- http://convergencevineyards.com/result
- http://crbl-bg.net/result
- http://culturepick.com/result
- http://cycollierville.com/result
- http://dartess.ru/result
- http://delreywindows.com/result
- http://demail.eu/result
- http://designerdogwear.com/result
- http://digital1.50webs.com/result
- http://directprotectsolutions.co.uk/result
- http://dobrinin.ru/result
- http://drwonder.org/result
- http://edit-imprimerie.com/result
- http://elfrasha.com/result
- http://e-vime.com/result
- http://faithfull.kdm.pl/result
- http://fastfine.ru/result
- http://ferkilestkd.com/result
- http://file-brochure.com/result
- http://franjaroja.emcali.net.co/result
- http://furniturlab.com/result
- http://gerkar.pl/result
- http://gps.50webs.com/result
- http://greensys.nayana.com/result
- http://gurkhaadventures.com/result
- http://halogen.dp.ua/result
- http://hanavanpools.com/result
- http://hiltrud.probst.cx/result
- http://hnzldc.com/result
- http://hongikmediaplus.com/result
- http://hootys.biz/result
- http://htocvt.org/result
- http://hzdadu.com/result
- http://jira.fastfine.ru/result
- http://oliverkuo.com.au/result
- http://phpwind.0592yt.com/result
- http://pliki-kirbyworld.50webs.com/result
- http://rosenblut4u.de/result
- http://shema.org.ua/result
- http://www.albertproduction.se/result
- http://www.bewustbv.nl/result
- http://www.consurshop.com/result
- http://www.cryoniq.com/result
- http://www.foyerstg.pro/result
- http://www.garrox.com/result
- http://www.globalchristiantrust.com/result
- Malware:
- - encoded on download SHA256 a406a67e5620bbe79026546e3889375497611955ff5248e9bdfef857982f26ba, MD5 a4968bc9ee57ffec4109f9cb2d63e287
- - decoding (XOR) string: bO6Htv5FLi7KnnQThYEQbX57IV4Zt2yM
- - decoded SHA256 a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa, MD5 20428fa7f32b9fd93c3b8f9c9f2d259f
- - executed as "rundll32.exe %TEMP%\<filename>,large"
- - samples https://www.virustotal.com/file/a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa/analysis/1482396435/
- https://www.reverse.it/sample/d8758da1d4408465de8b8231e34bf7536e7ffc0c83a46013db4f728401d9be68?environmentId=100
- C2:
- POST http://176.121.14.95/checkupdate
- POST http://193.201.225.124/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement