API tools faq
paste
Advertisement
Racco42

2017-10-10 Locky & Trickbot "Invoice INV0000xxx"

Racco42
Oct 11th, 2017
1,784
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.11 KB | None | 0 0
raw download clone embed print report
  1. 2017-10-10: #locky and #trickbot email phishing campaign "Invoice INV0000xxx"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------------
  5. From: Porter Waterman <porter@atelier-autour-de-la-mode.com>
  6. To: [REDACTED]
  7. Subject: Invoice INV0000281
  8. Date: Tue, 10 Oct 2017 22:21:02 -0200
  9.  
  10.  
  11. Sent from my iPhone
  12.  
  13. Attachment: Invoice INV0000281.7z -> Invoice INV0000988.vbs
  14. ---------------------------------------------------------------------------------------------------------------------
  15. - subject is "Invoice INV0000<3 digits>"
  16. - attached file "Invoice INV0000<3 digits>.7z" contains file "Invoice INV0000<3 digits>.vbs", a VBScript downloader which will download either Trickbot (in case PC is by IP geolocated in UK, AU, LU, BE, IE) or Locky from one of the download sites:
  17.  
  18. Locky download sites:
  19. http://alucmuhendislik.com/09yhb7r5e
  20. http://bit-chasers.com/09yhb7r5e
  21. http://bjp.co.id/09yhb7r5e
  22. http://centurythis.com/09yhb7r5e
  23. http://hellonwheelsthemovie.com/09yhb7r5e
  24. http://hexacam.com/09yhb7r5e
  25. http://mh-service.ru/09yhb7r5e
  26. http://nsaflow.info/p66/09yhb7r5e
  27.  
  28. Trickbot download sites:
  29. http://mtblanc-let.co.uk/nui76tg7
  30. http://nsaflow.info/p66/nui76tg7
  31. http://qxr33qxr.com/nui76tg7
  32. http://smi-wi.com/nui76tg7
  33. http://yamanashi-jyujin.jp/nui76tg7
  34.  
  35. Malware:
  36. - locky ransomware, offline asasin variant
  37. - SHA256: c2e56510866a6e038ac723a3e5a2ac66b14f407b91886077727f622f561164e3, MD5 1934bc240ae9e8e101490a9dab13c079
  38. - VT: https://www.virustotal.com/en/file/c2e56510866a6e038ac723a3e5a2ac66b14f407b91886077727f622f561164e3/analysis/1507719478/
  39. - HA: https://www.reverse.it/sample/c2e56510866a6e038ac723a3e5a2ac66b14f407b91886077727f622f561164e3?environmentId=100
  40.  
  41. - trickbot banking trojan
  42. - SHA256: 24184f3ae1a878018d650812c7084cdc91fdaa8916d3d11140ef06d6306347a2, MD5: 5216bf5213f2f94e756ce464d34c740c
  43. - VT: https://www.virustotal.com/en/file/24184f3ae1a878018d650812c7084cdc91fdaa8916d3d11140ef06d6306347a2/analysis/1507717690/
  44. - HA: https://www.reverse.it/sample/24184f3ae1a878018d650812c7084cdc91fdaa8916d3d11140ef06d6306347a2?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!