Advertisement
Racco42

2017-09-21 Locky "Invoice RE-2017-09-21-00168"

Sep 21st, 2017
5,688
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.71 KB | None | 0 0
  1. 2017-09-21: #locky email phishing camapaign "Invoice RE-2017-09-21-NNNNN"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------------
  5. From: Amazon Marketplace <AOUXQckbAEkCV@marketplace.amazon.co.uk>
  6. To: [REDACTED]
  7. Subject: Invoice RE-2017-09-21-00168
  8. Date: Thu, 21 Sep 2017 12:16:52 +0430
  9.  
  10. ------------- Begin message -------------
  11.  
  12. Dear customer,
  13.  
  14. We want to use this opportunity to first say "Thank you very much for your purchase!"
  15. Attached to this email you will find your invoice.
  16.  
  17. Kindest of regards,
  18. your Amazon Marketplace
  19.  
  20. [commMgrHmdToken:MDJSMKJWGJIJN]
  21.  
  22. ------------- End message -------------
  23.  
  24. For Your Information: To help arbitrate disputes and preserve trust and safety, we retain all messages buyers and sellers send through Amazon.co.uk. This includes your
  25. response to the message below. For your protection we recommend that you only communicate with buyers and sellers using this method.
  26.  
  27. Important: Amazon.co.uk's A-to-z Guarantee only covers third-party purchases paid for through our Amazon Payments system via our Shopping Cart or 1-Click. Our Guarantee
  28. does not cover any payments that occur off Amazon.co.uk including wire transfers, money orders, cash, check, or off-site credit card transactions.
  29.  
  30. We want you to buy with confidence whenever you purchase products on Amazon.co.uk. Learn more about Safe Online Shopping (http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=11081621) and our safe buying guarantee (http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=3149571).
  31.  
  32. [commMgrTok:MDJSMKJWGJIJN]
  33.  
  34. Attachment: RE-2017-09-21-00168.7z -> RE-2017-09-21-00297.vbs
  35. -----------------------------------------------------------------------------------------------------------------------------
  36. - sender is "Amazon Marketplace" <random>@marketplace.amazon.co.uk
  37. - subject is "Invoice RE-2017-09-21-<5 digits>"
  38. - attached file "RE-2017-09-21-<5 digits>.7z" contains file "RE-2017-09-21-<5 digits>.vbs", a VBScript downloader
  39.  
  40. Download sites:
  41. http://81552.com/IUGiwe8
  42. http://accuflowfloors.com/IUGiwe8
  43. http://adr-werbetechnik.de/IUGiwe8
  44. http://aetozi.gr/IUGiwe8
  45. http://afmance.it/IUGiwe8
  46. http://afradem.com/IUGiwe8
  47. http://agricom.it/IUGiwe8
  48. http://agriturismobellaria.net/IUGiwe8
  49. http://agro-kerler.de/IUGiwe8
  50. http://ahlbrandt.eu/IUGiwe8
  51. http://fulcar.info/p66/IUGiwe8
  52. http://moonmusic.com.au/IUGiwe8
  53.  
  54. Malware:
  55. - locky, offline .ykcol variant
  56. - VT: https://www.virustotal.com/en/file/ac6da4890150e2037a5913623557ab759b62d0ee9206ec0bacac318523afbc53/analysis/1505984851/
  57. - HA: https://www.hybrid-analysis.com/sample/ac6da4890150e2037a5913623557ab759b62d0ee9206ec0bacac318523afbc53?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement