Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-14: #locky email phishing campaign "Booking Confirmation"
- Sample email:
- -------------------------------------------------------------------------------------------------------------------
- From: camille tuenbull <camille.tuenbull@didlake.hr.coxmail.com>
- To: [REDACTED]
- Date: Wed, 14 Dec 2016 11:56:41 +0200
- Subject: Booking Confirmation
- Booking Confirmation
- This email and any attachments are confidential. If you have received it in error - notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.
- Attachment: BookingConfirmation_7305_[REDACTED].docm
- -------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Booking Confirmation"
- - attached file "BookingConfirmation_<2-6 digits>_<recipient's email>.docm" is a Microsoft Word file with malicious macro that will download malware
- Download sites:
- http://028cdxyk.com/nbv364
- http://allan.multimediedesignerskive.dk/nbv364
- http://amaniinitiative.org/nbv364
- http://angermeir.de/nbv364
- http://antonbogov.com/nbv364
- http://arbeiten.pl/nbv364
- http://autozirkus.com/nbv364
- http://bikebrowse.com/nbv364
- http://dealspari.com/nbv364
- http://demo.ahost5.ru/nbv364
- http://demo.pornuha4you.com/nbv364
- http://dicksmacker.com/nbv364
- http://dochalupy.com/nbv364
- http://dongiberson.com/nbv364
- http://downloadform.net/nbv364
- http://dryerventexpress.com/nbv364
- http://eastoncorporatefinance.com/nbv364
- http://e-pin.gr/nbv364
- http://evolutionseries.com/nbv364
- http://facerecognition.com.ba/nbv364
- http://gandalfoli.com/nbv364
- http://hotmusic.vipereskariot.ru/nbv364
- http://houssiere.daniel.formations-web.alsace/nbv364
- http://infinitecorp.ca/nbv364
- http://kayamuh.sarf.com.tr/nbv364
- http://ledticket.com/nbv364
- http://lntproductions.com/nbv364
- http://lucapotenziani.com/nbv364
- http://mainlinecarriers.co.tz/nbv364
- http://mbdvacations.com/nbv364
- http://meatthetruth.ru/nbv364
- http://mhmchicago.com/nbv364
- http://old.strommarnas.se/nbv364
- http://o-migunova.myjino.ru/nbv364
- http://ospkrutyn.pl/nbv364
- http://pacworld.com/nbv364
- http://perspektive-fuer-kinder.de/nbv364
- http://s98405.gridserver.com/nbv364
- http://safataj.ir/nbv364
- http://seven-cards.com/nbv364
- http://shortsuey.com/nbv364
- http://spikaflora.ru/nbv364
- http://store.elixe.net/nbv364
- http://theexcelconsultant.com/nbv364
- http://tunca.bel.tr/nbv364
- http://ustadhanif.com/nbv364
- http://watchmeninc.com/nbv364
- http://welovetofish.org/nbv364
- http://www.englishworld.it/nbv364
- http://www.jebbenterprises.com/nbv364
- http://www.kottalgenealogy.com/nbv364
- http://yaeliloni.com/nbv364
- http://zhongguanjiaoshi.com/nbv364
- UPDATE:
- http://movewithgrace.ca/nbv364
- http://obccllc.com/nbv364
- http://smcga.ca/nbv364
- Malware
- - encoded on download SHA256 a0f61de098c20ea77b8c0aa81724459fe63ac2f21f0b3150a2a5b16e1971ba40, MD5 47ba782233f37579aff9ca0687b36b5c
- - decoded SHA256 a9574969901055c2db26e0a9f63cde558d9b9be85f808bf3013888bc65cfd87b, MD5 78f3293d928a1539b7a173124b255b96
- - executed by "rundll32.exe %TEMP%\<filename>.rudf,GetMessage"
- - samples
- https://www.reverse.it/sample/bf80b15f9e889be5b41a0bba33163a823cb4560b36297902e35a22e372b9ff44?environmentId=100
- https://www.reverse.it/sample/bc504d0fc9793d24ea860ca069745eeb0a777906a3cb98196bc3ac84507d857a?environmentId=100
- C2:
- POST http://176.121.14.95/checkupdate
- POST http://185.117.72.105/checkupdate
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement