API tools faq
paste
Advertisement
Racco42

2019-09-16 Locky "Attached, Copy, Emailing, File"

Racco42
Sep 16th, 2016
1,660
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.98 KB | None | 0 0
raw download clone embed print report
  1. 2019-09-16 #locky email phishing camapign "Attached, Copy, Emailing, File"
  2.  
  3. Email:
  4. ---------------------------------------------------------------------------------------------------
  5. From: "Tabitha" <Tabitha239@packstation.de>
  6. To: <uperkunde@packstation.de>
  7. Subject: [SUSPICIOUS MESSAGE] Emailing: Scan(504)
  8. Date: Fri, 16 Sep 2016 07:23:02 +0430
  9.  
  10. Attachment: Scan(504).zip
  11. ---------------------------------------------------------------------------------------------------
  12. - sender address varies between emails, but it always looks like coming from recipient's domain
  13. - body is empty
  14. - subject has format: [Attached|Copy|Emailing|File]: [Document|Scan|Receipt](<number>)
  15.  
  16. Download sites (actual URLs has suffix "?_RND_=_RND_" (probably a script mistake), which does not influence download):
  17. http://adityastar.com/wixcrqd
  18. http://aeroptim.com/pobehuh
  19. http://alexandrkireev.ru/rqcklbm
  20. http://all4supply.com/wduwkdf
  21. http://baanmuifah.com/njnfpdi
  22. http://b-creative.be/xxaginj
  23. http://bukkuz.com/qyopafb
  24. http://demo.website.pl/ugfsfed
  25. http://earnbyemail.com/ngrxgbv
  26. http://fgspro.com/qjyywqs
  27. http://googlecheck.nl/wwtgmaw
  28. http://gumorca.com/obdntxs
  29. http://helpmybathroom.com/ivrofne
  30. http://hollystamps.com/sjhvhjg
  31. http://inovsol.com/onkwnod
  32. http://islamiccollege.org/uytedjl
  33. http://jsydjc.com/nakhldo
  34. http://kliksiska.com/ciwdpgg
  35. http://lv-nexis.com/unicyct
  36. http://mahovik-bg.com/gnixsfq
  37. http://malamalamak9.net/nmxsijq
  38. http://markanltd.com/rrdmwim
  39. http://mclodesigns.com/edvxmhd
  40. http://nipeldogalgaz.com/dplsdkf
  41. http://paraspokeri.net/rvtgffk
  42. http://proforceaudio.com/onhejgc
  43. http://psychquiz.com/uxpfxgh
  44. http://rentvspb.ru/gtipssu
  45. http://salemwitchcat.com/ynksvkq
  46. http://samenart.com/nyvsbcl
  47. http://sanalnet.org/astqmgt
  48. http://shopmjn.com/kxhujmk
  49. http://sinergica.cl/eveasxb
  50. http://smt112.com/rleptuo
  51. http://swivelsrus.com/neginnl
  52. http://szamba-betonowe.org/eswfxrm
  53. http://thewebgroup.net/suvahvg
  54. http://tobybender.com/ocwklsy
  55. http://travelvoice.com/jvktjob
  56. http://turkmennews.com/ucqwjvy
  57. http://urachart.com/vtnqgoc
  58. http://walterssigns.com/turjsty
  59. http://wongcs.com/ytcccbr
  60. http://xsolution.sk/ljkyemd
  61.  
  62. Malware:
  63. - encoded on download, SHA256 5259a7ee4e1524d3355c39566ddf6ebf5c6605b7687577ce15da07eeef57c2c8, filesize 343589 bytes
  64. https://www.reverse.it/sample/9aca4ed2cf68bfc90a30574b680a3bdf5437667aff06d6a9f5cc7568787a52f0?environmentId=100
  65. https://www.reverse.it/sample/ebfe96f36ba5f53ef5a8fbe47e78c04a33ba6cae4307bb8f1ca0a65b76b9f121?environmentId=100
  66. https://www.reverse.it/sample/8ef8be74afab109e5b25ae28bb4dbf3c9a7b5c70b5fc628a89af92f427cbef89?environmentId=100
  67. https://www.reverse.it/sample/8ba39aa765c8fe2316fde4facf39b0e16d15d28a516bcc49f5b78ac561ee6491?environmentId=100
  68. https://www.reverse.it/sample/7a24de364a994d1d33b497611d614eb800f335519666157de8eb7080fbdc98f0?environmentId=100
  69. - decoded SHA256 779d99732cb2def99cdefea2bf40cb6d3074575c31f63fa47b57581bb210e543, filesize 343589 bytes
  70. - decoded binary is executed as .exe without parameters
  71.  
  72. C2:
  73. - no C2 communication seen
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!