Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2017-08-11: #Locky email phishing campaign "Document / Scan / Order"
- Samples: 626
- Email sample:
- --------------------------------------------------------------------------------------------------------------------
- From: Evangelina <Evangelina.04@[REDACTED]>
- To: [REDACTED]
- Subject: Document
- Date: Fri, 11 Aug 2017 14:31:00 +0400
- Attachment: PDF00076094.pdf
- --------------------------------------------------------------------------------------------------------------------
- - sender address is forged to be from same domain as recepient's, format: <Name>.<number>@<domain>
- - subject is "<Document|Invoice|Order|Paper|Receipt|Scan|Scanned Document>
- - email body is empty
- - attached file "PDF<6-8 digits>.pdf contains an embedded .docm file, which when opened runs macro that will download from:
- Download sites:
- http://2-wave.com/JbhbUsfs
- http://3e.com.pt/JbhbUsfs
- http://3lr.es/JbhbUsfs
- http://6tricksguides.com/JbhbUsfs
- http://abstonework.ca/JbhbUsfs
- http://accuflowfloors.com/JbhbUsfs
- http://ach-wie.net/JbhbUsfs
- http://actt.gr/JbhbUsfs
- http://acurcioefilhos.pt/JbhbUsfs
- http://adr-werbetechnik.de/JbhbUsfs
- http://aegeanlab.gr/JbhbUsfs
- http://cafe-papermoon.com/JbhbUsfs
- http://cagliaricity.com/JbhbUsfs
- http://calvintp.fr/JbhbUsfs
- http://campusassas.com/JbhbUsfs
- http://cancortes.com/JbhbUsfs
- http://carriereiserphotography.com/JbhbUsfs
- http://caseyeap.com/JbhbUsfs
- http://cctv.pt/JbhbUsfs
- http://darca.info/JbhbUsfs
- http://grossert.de/JbhbUsfs
- http://indiasublime.in/JbhbUsfs
- http://inormann.it/JbhbUsfs
- http://love.chuanmeiker.com/JbhbUsfs
- http://nancywillems.nl/JbhbUsfs
- http://nerdydroid.com/JbhbUsfs
- http://rtozottosdossder.net/af/JbhbUsfs
- http://seoulhome.net/JbhbUsfs
- http://starsafety.net/JbhbUsfs
- http://swangroup.net/JbhbUsfs
- Update:
- http://carriereiter.com/JbhbUsfs
- http://gardenconcept.pl/JbhbUsfs
- http://infopoupees.com/JbhbUsfs
- http://musicphilicwinds.org/JbhbUsfs
- Update:
- http://121-psychic-reading.co.uk/JbhbUsfs
- http://1888titlework.com/JbhbUsfs
- http://adaliyapi.com/JbhbUsfs
- http://campuslinne.com/JbhbUsfs
- http://conceptfactory.com.au/JbhbUsfs
- http://eselink.com.my/JbhbUsfs
- http://sharplingerie.com/JbhbUsfs
- http://toyah.de/JbhbUsfs
- Malware:
- - Locky ransomware
- - SHA256: SHA256 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e
- - MD5: 9dcdfbb3e8e4020e4cf2fc77e86daa76
- - VT: https://www.virustotal.com/en/file/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e/analysis/1502448250/
- - HA: https://www.hybrid-analysis.com/sample/5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e?environmentId=100
- - C2: POST 91.219.28.39/checkupdate
- POST 185.127.24.191/checkupdate
- - file extension: .diablo6
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement