API tools faq
paste
Racco42

Locky "Please find attached invoice no. X"

Racco42
Aug 29th, 2016
1,636
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.96 KB | None | 0 0
raw download clone embed print report
  1. 2016-08-29 #locky phishing email campaign "Please find attached invoice no. XXXX"
  2.  
  3. Email sample (sender domain is faked to be same as recipient's):
  4. -------------------------------------------------------------------------------------------
  5. From: <document@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Please find attached invoice no: 571126296
  8.  
  9. Attached is a Print Manager form.
  10. Format =3D Portable Document Format File (PDF)
  11. ________________________________
  12.  
  13. Disclaimer
  14.  
  15. This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
  16. -------------------------------------------------------------------------------------------
  17. Attached file: [random characters].zip, contains [random characters].wsf; a WSF file containing JScript downloader
  18.  
  19. Downloads (actual URL has ?<random>=<random> suffix, which does not seem to have influence on download):
  20. http://69.61.11.216/78yhuinFYs
  21. http://abcbureautique.abc.perso.neuf.fr/78yhuinFYs
  22. http://ach-dziennik.cba.pl/78yhuinFYs
  23. http://bypetra.de/78yhuinFYs
  24. http://club.konjiki.jp/78yhuinFYs
  25. http://conserpa.vtrbandaancha.net/78yhuinFYs
  26. http://daedalus.dommel.be/78yhuinFYs
  27. http://dussartconsulting.com/78yhuinFYs
  28. http://greentechdesign.ca/78yhuinFYs
  29. http://iesjaumei.edu.gva.es/78yhuinFYs
  30. http://immobilien1000.de/78yhuinFYs
  31. http://jamesm.co.uk/78yhuinFYs
  32. http://job.atspace.org/78yhuinFYs
  33. http://lokum1985.republika.pl/78yhuinFYs
  34. http://rodewelshcobs.com/78yhuinFYs
  35. http://sektori.pp.fi/78yhuinFYs
  36. http://spaceinn.co.jp/78yhuinFYs
  37. http://tpllaw.com/78yhuinFYs
  38. http://vicariassicurazioni.it/78yhuinFYs
  39. http://www.agenziadini.it/78yhuinFYs
  40. http://www.agriturismoigirasoli.it/78yhuinFYs
  41. http://www.bluedizioni.com/78yhuinFYs
  42. http://www.caminettilcd.it/78yhuinFYs
  43. http://www.carloabati.com/78yhuinFYs
  44. http://www.coozpn.cba.pl/78yhuinFYs
  45. http://www.csm94.org/78yhuinFYs
  46. http://www.culturalheritagemanagement.org/78yhuinFYs
  47. http://www.dialektika.extra.hu/78yhuinFYs
  48. http://www.dondana.com/78yhuinFYs
  49. http://www.epikal.go.ro/78yhuinFYs
  50. http://www.fenit.net/78yhuinFYs
  51. http://www.imaginarium.home.ro/78yhuinFYs
  52. http://www.jan-wallner.de/78yhuinFYs
  53. http://www.kurtoskalacs.go.ro/78yhuinFYs
  54. http://www.lagottoromagnolo.be/78yhuinFYs
  55. http://www.leprimodels.it/78yhuinFYs
  56. http://www.mussystems.net/78yhuinFYs
  57. http://www.planet-intv.com/78yhuinFYs
  58. http://www.qualityacoustic.comcastbiz.net/78yhuinFYs
  59. http://www.saumi.jazztel.es/78yhuinFYs
  60. http://www.ussanlorenzo.it/78yhuinFYs
  61. http://www.vanhoenacker.net/78yhuinFYs
  62. http://www.webcam-bild.de/78yhuinFYs
  63. http://xelagon.50webs.org/78yhuinFYs
  64.  
  65. Malware encoded, SHA256: e6b487f67e4d5547bbe07ef0d70191a6b73edb9b2a5cc6878871e3682be74d2a, filesize 143360 bytes:
  66. https://www.reverse.it/sample/72dd283c23ac0649d879a0751e37498562272a144fa08ab0d247b06286db5bce?environmentId=100
  67. https://www.reverse.it/sample/c8175b878ff92995c364d51b771d5ef8037bd712042fad5561a1d4fdfb7df239?environmentId=100
  68. https://www.reverse.it/sample/47efc9f74cefc1ffe68611e242dd433f2567c77f0299bbba7d5e62f670017284?environmentId=100
  69. https://www.reverse.it/sample/da0525772a22a5be84910a1196167f6e3748438c18fa521d0bc3446a3d664abf?environmentId=100
  70. https://www.reverse.it/sample/60bcaa984714e6e3a70ce4f553d6457ed7b84032a3b9b63d960cf2eac38c4525?environmentId=100
  71.  
  72. C2s:
  73. 51.255.107.30:80/data/info.php
  74. 195.64.154.114:80/data/info.php
  75. (trxswbwxhr.xyz)91.226.92.208:80/data/info.php
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!