SHARE
TWEET

2017-08-11 Locky "Document / Scan"

Racco42 Aug 11th, 2017 (edited) 1,123 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-08-11: #Locky email phishing campaign "Document / Scan / Order"
  2. Samples: 626
  3.  
  4. Email sample:
  5. --------------------------------------------------------------------------------------------------------------------
  6. From: Evangelina <Evangelina.04@[REDACTED]>
  7. To: [REDACTED]
  8. Subject: Document
  9. Date: Fri, 11 Aug 2017 14:31:00 +0400
  10.  
  11. Attachment: PDF00076094.pdf
  12. --------------------------------------------------------------------------------------------------------------------
  13. - sender address is forged to be from same domain as recepient's, format: <Name>.<number>@<domain>
  14. - subject is "<Document|Invoice|Order|Paper|Receipt|Scan|Scanned Document>
  15. - email body is empty
  16. - attached file "PDF<6-8 digits>.pdf contains an embedded .docm file, which when opened runs macro that will download from:
  17.  
  18. Download sites:
  19. http://2-wave.com/JbhbUsfs
  20. http://3e.com.pt/JbhbUsfs
  21. http://3lr.es/JbhbUsfs
  22. http://6tricksguides.com/JbhbUsfs
  23. http://abstonework.ca/JbhbUsfs
  24. http://accuflowfloors.com/JbhbUsfs
  25. http://ach-wie.net/JbhbUsfs
  26. http://actt.gr/JbhbUsfs
  27. http://acurcioefilhos.pt/JbhbUsfs
  28. http://adr-werbetechnik.de/JbhbUsfs
  29. http://aegeanlab.gr/JbhbUsfs
  30. http://cafe-papermoon.com/JbhbUsfs
  31. http://cagliaricity.com/JbhbUsfs
  32. http://calvintp.fr/JbhbUsfs
  33. http://campusassas.com/JbhbUsfs
  34. http://cancortes.com/JbhbUsfs
  35. http://carriereiserphotography.com/JbhbUsfs
  36. http://caseyeap.com/JbhbUsfs
  37. http://cctv.pt/JbhbUsfs
  38. http://darca.info/JbhbUsfs
  39. http://grossert.de/JbhbUsfs
  40. http://indiasublime.in/JbhbUsfs
  41. http://inormann.it/JbhbUsfs
  42. http://love.chuanmeiker.com/JbhbUsfs
  43. http://nancywillems.nl/JbhbUsfs
  44. http://nerdydroid.com/JbhbUsfs
  45. http://rtozottosdossder.net/af/JbhbUsfs
  46. http://seoulhome.net/JbhbUsfs
  47. http://starsafety.net/JbhbUsfs
  48. http://swangroup.net/JbhbUsfs
  49.  
  50. Update:
  51. http://carriereiter.com/JbhbUsfs
  52. http://gardenconcept.pl/JbhbUsfs
  53. http://infopoupees.com/JbhbUsfs
  54. http://musicphilicwinds.org/JbhbUsfs
  55.  
  56. Update:
  57. http://121-psychic-reading.co.uk/JbhbUsfs
  58. http://1888titlework.com/JbhbUsfs
  59. http://adaliyapi.com/JbhbUsfs
  60. http://campuslinne.com/JbhbUsfs
  61. http://conceptfactory.com.au/JbhbUsfs
  62. http://eselink.com.my/JbhbUsfs
  63. http://sharplingerie.com/JbhbUsfs
  64. http://toyah.de/JbhbUsfs
  65.  
  66. Malware:
  67. - Locky ransomware
  68. - SHA256: SHA256 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e
  69. - MD5: 9dcdfbb3e8e4020e4cf2fc77e86daa76
  70. - VT: https://www.virustotal.com/en/file/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e/analysis/1502448250/
  71. - HA: https://www.hybrid-analysis.com/sample/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e?environmentId=100
  72. - C2: POST 91.219.28.39/checkupdate
  73.       POST 185.127.24.191/checkupdate
  74. - file extension: .diablo6
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top