Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-22 #locky email phish campaign "Receipt of payment"
- Email:
- --------------------------------------------------------------------------------------------------------------------
- From: "Maria scrivener" <Maria.scrivener0@patelmarriages.com>
- To: [REDACTED]
- Subject: Receipt of payment
- Date: Thu, 22 Sep 2016 03:39:58 +0400
- Good afternoon,
- Thank you for you call this afternoon.
- Please find attached your receipt of payment.
- If you need anything else please feel free to contact me on the details below.
- Kind regards.
- Maria scrivener
- Credit Controller
- IB GIBL Credit Control
- 7th Floor Spectrum Building
- 55 Blythswood Street | Glasgow | G2 7AT
- Direct: 0141 233 3164
- Maria.scrivener0@patelmarriages.com
- http://www.ajginternational.com/
- Attachment: "(#77239916719) Receipt.zip"
- --------------------------------------------------------------------------------------------------------------------
- - sender address varies between emails, but the "company" in footer of email is the same
- - subject is "Receipt of payment"
- - attached file "(#<number>) Receipt.zip" contains file <random uppercase chars>.hta, a JScript downloader
- Download sites:
- http://abdulqadirmahar.com/746t3fg3
- http://accentofficefurniture.co.nz/746t3fg3
- http://afzalbaloch.comli.com/746t3fg3
- http://agaoglu-mytown.com/746t3fg3
- http://appleappdeveloper.com/746t3fg3
- http://attractions.com/746t3fg3
- http://blivenews.com/746t3fg3
- http://cardimax.com.ph/746t3fg3
- http://celebratebanking.com/746t3fg3
- http://deftr.com/746t3fg3
- http://dmlevents.com/746t3fg3
- http://emaster.4devlab.com/746t3fg3
- http://flyingbtc.com/746t3fg3
- http://graybowolson.com/746t3fg3
- http://greenkeralatravels.com/746t3fg3
- http://grimkonde.net/746t3fg3
- http://hrx.net.au/746t3fg3
- http://imsalud.gov.co/746t3fg3
- http://indglobaldemo.com/746t3fg3
- http://infosunsystem.com/746t3fg3
- http://lsnsoft.info/746t3fg3
- http://managedv2.4devlab.com/746t3fg3
- http://micaraland.com/746t3fg3
- http://muhammadyunus.org/746t3fg3
- http://myownindia.com/746t3fg3
- http://nsgroup.in/746t3fg3
- http://prettynicewebsite.com/746t3fg3
- http://pvtltdregistration.com/746t3fg3
- http://ringspo.com/746t3fg3
- http://satyagroups.in/746t3fg3
- http://tvorbis.com.mk/746t3fg3
- http://venussystems.in/746t3fg3
- http://www.barodawebsolution.com/746t3fg3
- http://www.bujod.in/746t3fg3
- http://www.e-media.in/746t3fg3
- http://www.mango-do.com/746t3fg3
- Malware:
- - encoded on download, SHA256 78900539b0e2907007f5de818ac69c89eaf7ff1b29f901ff84e65d0b1e718021, filesize 163840
- - decoded SHA256 704eb9e3cc54bdafa1736f529ae0695d620a7c064e6d4fac591ab98ebe47fc0c
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples
- https://www.reverse.it/sample/9779195cabb5547307cfad9e52d543fda56f3e8ff8eb517289d2ac15eba89ee4?environmentId=100
- https://www.reverse.it/sample/aee3478b5f6782c9adcabf84bce7992e84634b9e4e7277f34bdb2fc678a7bf66?environmentId=100
- https://www.reverse.it/sample/252c1e2ab29b8c077edbf5f69d9f0382554d0751dcb96e8c1a29c0ce331b035b?environmentId=100
- https://www.reverse.it/sample/1020fa9afbfad3700e1cbf03200d2a1973f976d3c1a3bcc9f6bf070df07c0917?environmentId=100
- https://www.reverse.it/sample/d6d6859b7b9896b7fe8818d375b1fbacafdd30fb6304ba6f086dd9e988bcf275?environmentId=100
- C2:
- - no visible C2 communication, encryption key is probably in the locky configuration
Add Comment
Please, Sign In to add comment