SHARE
TWEET

2017-09-26 Locky "INVOICE"

Racco42 Sep 27th, 2017 (edited) 504 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-09-26:#locky email phishing campaign "INVOICE"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------
  5. From: Terri Plummer <sales@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: INVOICE
  8. Date: Tue, 26 Sep 2017 10:52:50 -0200
  9.  
  10. Dear Sir,
  11.  
  12. PLEAS FIND ATTACHED YOUR INVOICE AS REQUESTED.
  13.  
  14. Thank you and Kind regard's
  15.  
  16. *Terri*
  17. *For Techno-Packaging.*
  18.  
  19. P *Please consider the environment =E2=80=93 only print this e-mail if absolutely necessary*
  20.  
  21. Attachment: A950391802.7z -> A40092489740.vbs
  22. -------------------------------------------------------------------------------------------------------------
  23. - email address of sender is forged to sales@<sender's domain>
  24. - subject is INVOICE
  25. - attached file "A<8-12 digits>.7z" contain file "A<9-11 digits>.vbs", a VBScript downloader which will download file from :
  26.  
  27. Download sites:
  28. http://bodywork-sf.net/dg6rerg
  29. http://boetsebiltong.co.za/dg6rerg
  30. http://bouwpartnerzaagenschaaf.nl/dg6rerg
  31. http://brand-online.eu/dg6rerg
  32. http://brascopperchile.cl/dg6rerg
  33. http://bredabeckerle.com/dg6rerg
  34. http://brendo.biz/dg6rerg
  35. http://broadcastaudiodevices.com/dg6rerg
  36. http://bsfotodesign.com/dg6rerg
  37. http://cadsangiorgio.com/dg6rerg
  38. http://caldas-cca.com/dg6rerg
  39. http://playbrief.info/p66/dg6rerg
  40.  
  41. http://antwerpvillas.com/niugufvt4
  42. http://apethorpevillage.co.uk/niugufvt4
  43. http://asi-automazioni.com/niugufvt4
  44. http://freevillemusic.com/niugufvt4
  45. http://galeona.com/niugufvt4
  46. http://gdrural.com.au/niugufvt4
  47. http://geocean.co.id/niugufvt4
  48. http://gilgroup.com/niugufvt4
  49. http://giraudnet.co.uk/niugufvt4
  50. http://glostrap.com/niugufvt4
  51. http://graficasicarpearanjuez.com/niugufvt4
  52. http://granado.es/niugufvt4
  53. http://hkcel.com/niugufvt4
  54. http://hmbre.com/niugufvt4
  55. http://poemsan.info/p66/niugufvt4
  56.  
  57. Malware:
  58. - locky, offline .ykcol variant
  59. - SHA256: 376d73b2e5ae398e2158871e1b72850a748cf0d9c2c37a65ad5af368523c4749, MD5: b035ddc1f0738c3f90cb5c0b804e1775
  60. - SHA256: e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4, MD5: 1c1a6b70b5e2b13c019d5cbdf0f12738
  61. - VT: https://www.virustotal.com/en/file/376d73b2e5ae398e2158871e1b72850a748cf0d9c2c37a65ad5af368523c4749/analysis/1506485634/
  62. - VT: https://www.virustotal.com/en/file/e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4/analysis/1506525616/
  63. - HA: https://www.hybrid-analysis.com/sample/376d73b2e5ae398e2158871e1b72850a748cf0d9c2c37a65ad5af368523c4749?environmentId=100
  64. - HA: https://www.hybrid-analysis.com/sample/e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4?environmentId=10
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top