Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2019-09-16 #locky email phishing camapign "Attached, Copy, Emailing, File"
- Email:
- ---------------------------------------------------------------------------------------------------
- From: "Tabitha" <Tabitha239@packstation.de>
- To: <uperkunde@packstation.de>
- Subject: [SUSPICIOUS MESSAGE] Emailing: Scan(504)
- Date: Fri, 16 Sep 2016 07:23:02 +0430
- Attachment: Scan(504).zip
- ---------------------------------------------------------------------------------------------------
- - sender address varies between emails, but it always looks like coming from recipient's domain
- - body is empty
- - subject has format: [Attached|Copy|Emailing|File]: [Document|Scan|Receipt](<number>)
- Download sites (actual URLs has suffix "?_RND_=_RND_" (probably a script mistake), which does not influence download):
- http://adityastar.com/wixcrqd
- http://aeroptim.com/pobehuh
- http://alexandrkireev.ru/rqcklbm
- http://all4supply.com/wduwkdf
- http://baanmuifah.com/njnfpdi
- http://b-creative.be/xxaginj
- http://bukkuz.com/qyopafb
- http://demo.website.pl/ugfsfed
- http://earnbyemail.com/ngrxgbv
- http://fgspro.com/qjyywqs
- http://googlecheck.nl/wwtgmaw
- http://gumorca.com/obdntxs
- http://helpmybathroom.com/ivrofne
- http://hollystamps.com/sjhvhjg
- http://inovsol.com/onkwnod
- http://islamiccollege.org/uytedjl
- http://jsydjc.com/nakhldo
- http://kliksiska.com/ciwdpgg
- http://lv-nexis.com/unicyct
- http://mahovik-bg.com/gnixsfq
- http://malamalamak9.net/nmxsijq
- http://markanltd.com/rrdmwim
- http://mclodesigns.com/edvxmhd
- http://nipeldogalgaz.com/dplsdkf
- http://paraspokeri.net/rvtgffk
- http://proforceaudio.com/onhejgc
- http://psychquiz.com/uxpfxgh
- http://rentvspb.ru/gtipssu
- http://salemwitchcat.com/ynksvkq
- http://samenart.com/nyvsbcl
- http://sanalnet.org/astqmgt
- http://shopmjn.com/kxhujmk
- http://sinergica.cl/eveasxb
- http://smt112.com/rleptuo
- http://swivelsrus.com/neginnl
- http://szamba-betonowe.org/eswfxrm
- http://thewebgroup.net/suvahvg
- http://tobybender.com/ocwklsy
- http://travelvoice.com/jvktjob
- http://turkmennews.com/ucqwjvy
- http://urachart.com/vtnqgoc
- http://walterssigns.com/turjsty
- http://wongcs.com/ytcccbr
- http://xsolution.sk/ljkyemd
- Malware:
- - encoded on download, SHA256 5259a7ee4e1524d3355c39566ddf6ebf5c6605b7687577ce15da07eeef57c2c8, filesize 343589 bytes
- https://www.reverse.it/sample/9aca4ed2cf68bfc90a30574b680a3bdf5437667aff06d6a9f5cc7568787a52f0?environmentId=100
- https://www.reverse.it/sample/ebfe96f36ba5f53ef5a8fbe47e78c04a33ba6cae4307bb8f1ca0a65b76b9f121?environmentId=100
- https://www.reverse.it/sample/8ef8be74afab109e5b25ae28bb4dbf3c9a7b5c70b5fc628a89af92f427cbef89?environmentId=100
- https://www.reverse.it/sample/8ba39aa765c8fe2316fde4facf39b0e16d15d28a516bcc49f5b78ac561ee6491?environmentId=100
- https://www.reverse.it/sample/7a24de364a994d1d33b497611d614eb800f335519666157de8eb7080fbdc98f0?environmentId=100
- - decoded SHA256 779d99732cb2def99cdefea2bf40cb6d3074575c31f63fa47b57581bb210e543, filesize 343589 bytes
- - decoded binary is executed as .exe without parameters
- C2:
- - no C2 communication seen
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement