SHARE
TWEET

2016-12-19 Locky "Payslip for the month Dec 2016"

Racco42 Dec 19th, 2016 (edited) 270 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-19: #locky email phishing campaign "Payslip for the month Dec 2016"
  2.  
  3. Sample email:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: RUTHIE TORDOFF <ruthie.tordoff@damienelsing.com>
  6. To: [REDACTED]
  7. Subject: Payslip for the month Dec 2016.
  8. Date: Mon, 19 Dec 2016 16:43:51 +0500
  9.  
  10. Dear customer,
  11.  
  12. We are sending your payslip for the month Dec 2016 as an attachment with this mail.
  13. Note: This is an auto-generated mail. Please do not reply.
  14.  
  15. Attachment: Payslip_Dec_2016_7705596.doc
  16. ------------------------------------------------------------------------------------------------------------------
  17. - sender varies between emails
  18. - subject is "Payslip for the month Dec 2016."
  19. - attached file "Payslip_Dec_2016_<5-8 digits>.doc" is a Microsoft Word 2007+ file with macro that will download malware
  20.  
  21. Download sites:
  22. http://023pc.cn/8hrnv3
  23. http://abatjour.be/8hrnv3
  24. http://adygkomnac.ru/8hrnv3
  25. http://aguamineralsantacruz.com.br/8hrnv3
  26. http://airportrentacar.ro/8hrnv3
  27. http://alimobiles.com.ua/8hrnv3
  28. http://allard-g.be/8hrnv3
  29. http://almrausch.tv/8hrnv3
  30. http://archindonesia.com/8hrnv3
  31. http://as-kanal-rohrreinigung.de/8hrnv3
  32. http://aspecta-aso.net/8hrnv3
  33. http://audehd.com/8hrnv3
  34. http://audreyetsteve.fr/8hrnv3
  35. http://axmetrix.com/8hrnv3
  36. http://bastacycling.com/8hrnv3
  37. http://baugildealtmark.de/8hrnv3
  38. http://belgarion.eu/8hrnv3
  39. http://berstetaler.de/8hrnv3
  40. http://birdhausdesign.com/8hrnv3
  41. http://blackseo.ir/8hrnv3
  42. http://blendpak.com/8hrnv3
  43. http://bperes.com.br/8hrnv3
  44. http://brainfreezeapp.com/8hrnv3
  45. http://convergencevineyards.com/8hrnv3
  46. http://cycollierville.com/8hrnv3
  47. http://delreywindows.com/8hrnv3
  48. http://democracyandsecurity.org/8hrnv3
  49. http://drwonder.org/8hrnv3
  50. http://e-vime.com/8hrnv3
  51. http://factoryfreeapparel.com/8hrnv3
  52. http://fastfine.ru/8hrnv3
  53. http://franjaroja.emcali.net.co/8hrnv3
  54. http://friendlygeek.org/8hrnv3
  55. http://garosero5.com/8hrnv3
  56. http://globaser3000.com/8hrnv3
  57. http://gluten-free-on.net/8hrnv3
  58. http://gps.50webs.com/8hrnv3
  59. http://grafiquesvaros.com/8hrnv3
  60. http://growing-e-m.com/8hrnv3
  61. http://gyoda.v.wol.ne.jp/8hrnv3
  62. http://halogen.dp.ua/8hrnv3
  63. http://oliverkuo.com.au/8hrnv3
  64. http://pliki-kirbyworld.50webs.com/8hrnv3
  65. http://routerpanyoso.50webs.com/8hrnv3
  66. http://skyers.awardspace.com/8hrnv3
  67. http://www.andmax-rehabilitacja.pl/8hrnv3
  68. http://www.bandhiga.com/8hrnv3
  69. http://www.clinicafisiosan.com/8hrnv3
  70. http://www.cryoniq.com/8hrnv3
  71. http://www.de-klinker.be/8hrnv3
  72. http://www.foyerstg.pro/8hrnv3
  73. http://www.globalchristiantrust.com/8hrnv3
  74. http://www.neumayr-alkoven.com/8hrnv3
  75. http://www.texasredzonereport.com/8hrnv3
  76. http://zimbabweaids.awardspace.com/8hrnv3
  77.  
  78. Malware:
  79. - encoded on download
  80. SHA256 36ec2edae1dfd19f201223dd0b101494c33d092e2884288fecd8615cd86cd993, MD5 539ff4ca8d5a2ef6ab7297c4788c9e7d
  81. SHA256 27f256daf811b85b8cdfe9efa1235bc59ff99ecf2c0f909155fdf3d646ebfdcc, MD5 30ffab27be3ca772b1bf8c97b22b9fdc
  82. - decoded
  83. SHA256 a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3, MD5 e93bbc2feaf005d85affbadc1abb39e9
  84. SHA256 877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07, MD5 b2c125eb7d8186e1a4d52c411b94dd58
  85. - executed by "rundll32.exe %TEMP%\<filename>.ero,money"
  86. - samples
  87. https://www.virustotal.com/file/a2e9025066f39a07b2bb4a85932c68f5b3da6a07bebb877aed1031c987ca16d3/analysis/1482159947/
  88. https://www.virustotal.com/file/877c57b2b8bd3ebd8d2bbb96bdfd910b6a5bd91e045b12f2ca80786ad2339d07/analysis/1482188600/
  89.  
  90. C2:
  91. POST http://188.127.239.48/checkupdate
  92. POST http://91.223.180.3/checkupdate
  93. POST http://176.121.14.95/checkupdate
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top