API tools faq
paste
Advertisement
Racco42

2016-09-12 Locky "Budget report"

Racco42
Sep 12th, 2016
1,614
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.24 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-12 #locky email phishing campaign "Budget report"
  2. http://blog.dynamoo.com/2016/09/malware-spam-budget-report-leads-to.html
  3.  
  4. Email
  5. ---------------------------------------------------------------------------------------------------------------
  6. From: "Shawna Roberson" <Roberson.00148@americandream-redding.com>
  7. To: [REDACTED]
  8. Subject: Budget report
  9. Date: Mon, 12 Sep 2016 19:45:57 +0530
  10.  
  11. Hi [REDACTED],
  12.  
  13. I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
  14.  
  15. With many thanks,
  16. Shawna Roberson
  17.  
  18. Attachment: "e3ac9b9be19.zip"
  19. ---------------------------------------------------------------------------------------------------------------
  20. - sender address varies
  21. - subject is "Budget report"
  22. - attached file "<random hexa chars>.zip" contain two identical files "<8 hexa chars> Budget_report_xls.js" and "<8 hexa chars> Budget_report_xls - 1.js"
  23.  
  24. Download sites:
  25. http://block2enable3.net/1o6bcxr2
  26. http://canonbest7.com/1v1wwia
  27. http://lookbookinghotels.ws/a9sgrrak
  28. http://one4four1.ws/h27opn0
  29. http://trybttr.ws/h71qizc
  30.  
  31. Malware:
  32. - encoded on download, filesize 134783 bytes, SHA256s:
  33. f35af296203a8c09e133cd202e27514ba21f014cb91c7e38411cf70bf23aa9de http___block2enable3.net_1o6bcxr2
  34. 5502098946874b806da019d37eab755db36951a7a4cc64c113a169aa53df9cdb http___canonbest7.com_1v1wwia
  35. 98bacd8eaaa7fa02ac1e817a015cce85c791879e69b866cac13b20231082d11d http___lookbookinghotels.ws_a9sgrrak
  36. d5dde8ef4f97cbb4bccfcc1d9854536ed7335065a92ffdd3f36e421e6c963962 http___trybttr.ws_h71qizc
  37.  
  38. https://www.reverse.it/sample/bca67e8372897765e6f4265c7d27d3c2ed373833a0c577328601f6986b5db0c4?environmentId=100
  39. https://www.reverse.it/sample/b732899b4a9a94f4341427dd18cdc069902e79fef946addb42526e0aa7ff48f6?environmentId=100
  40. https://www.reverse.it/sample/da74b00b01220cb38f2ffca226d81079630d9dc3012b9888f8efe0472288cb1b?environmentId=100
  41.  
  42. - decoded SHA256
  43. ad26b56690a9e79012bbf54112f66e029f16093b4dd4d842ba1fdebad1a8e094
  44. a7c5d185235e8515e546d720e565a3efbc4e1b169852453726d5673dca0ed2d4
  45.  
  46. C2:
  47. 185.154.15.150:80/data/info.php
  48. 91.214.71.101:80/data/info.php
  49. 46.173.214.95:80/data/info.php
  50. 95.85.29.208:80/data/info.php
  51. 51.255.105.2:80/data/info.php
  52. yofkhfskdyiqo.biz:80/data/info.php [69.195.129.70]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!