Racco42

2017-08-09 Locky "E 2017-08-09 (xxx).doc"

Aug 9th, 2017
2,402
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-08-09: #Locky email phishing camapign "E 2017-08-09 (xxx).doc"
  2. Samples: 1334
  3.  
  4. Email sample:
  5. --------------------------------------------------------------------------------------------------------------
  6. From: Jeanne@[REDACTED]
  7. To: [REDACTED]
  8. Subject: E 2017-08-09 (87).xls
  9. Date: Mon, 24 Jul 2017 07:51:08 +0000
  10.  
  11. Attachment: "E 2017-08-09 (87).zip" -> "E 2017-08-09 (443).vbs"
  12. --------------------------------------------------------------------------------------------------------------
  13. - sender address is faked to look to be from same domain as recepient
  14. - subject is "E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>"
  15. - email body is empty
  16. - attached file "E 2017-08-09 (<2-3 digits>).zip" contains file "E 2017-08-09 (<2-3 digits>).vbs" a VBScript downloader
  17.  
  18. Download sites:
  19. http://3sat.fr/y872ff2f
  20. http://adnangul.av.tr/y872ff2f
  21. http://aedelavenir.com/y872ff2f
  22. http://aisp74.asso.fr/y872ff2f
  23. http://ambrogiauto.com/y872ff2f
  24. http://apositive.be/y872ff2f
  25. http://atesbocegianaokulu.com/y872ff2f
  26. http://attilabalogh.com/y872ff2f
  27. http://autoecole-jeanpierre.com/y872ff2f
  28. http://auto-ecole-lecastelet.com/y872ff2f
  29. http://auxilia-fr.com/y872ff2f
  30. http://azlinshaharbi.com/y872ff2f
  31. http://bayimpex.be/y872ff2f
  32. http://beansviolins.com/y872ff2f
  33. http://binarycousins.com/y872ff2f
  34. http://boschettoristorante.it/y872ff2f
  35. http://busad.com/y872ff2f
  36. http://camefe.com.mx/y872ff2f
  37. http://campusvoltaire.com/y872ff2f
  38. http://cipemiliaromagna.cateterismo.it/y872ff2f
  39. http://dbr663dnbssfrodison.net/af/y872ff2f
  40. http://fachwerkhaus.ws/y872ff2f
  41. http://flooringforyou.co.uk/y872ff2f
  42. http://greenerlivingca.com/y872ff2f
  43. http://henweekendsbirmingham.co.uk/y872ff2f
  44. http://homeownersinsurance.ca/y872ff2f
  45. http://iida-sevensuns.com/y872ff2f
  46. http://jaysonmorrison.com/y872ff2f
  47. http://llallagua.ch/y872ff2f
  48. http://melting-potes.com/y872ff2f
  49. http://peluqueriacaninaencordoba.com/y872ff2f
  50. http://saunaesofmansatis.net/y872ff2f
  51. http://searchlightcare.com/y872ff2f
  52. http://tasgetiren.com/y872ff2f
  53. http://telesolutionsconsultants.com/y872ff2f
  54. http://themeastralgratuit.com/y872ff2f
  55. http://willemshoeck.nl/y872ff2f
  56.  
  57. Malware:
  58. - SHA256: 390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891, MD5: 0d0823d9a5d000b80e27090754f59ee5
  59. - VT: https://www.virustotal.com/file/390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891/analysis/1502275376/
  60. - HA: https://www.reverse.it/sample/390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891?environmentId=100
  61. - C2:
  62. POST http://83.217.8.61/checkupdate
  63. POST http://31.202.130.9/checkupdate
  64. POST http://91.234.35.106/checkupdate
RAW Paste Data