SHARE
TWEET

2017-09-26 Locky "Invoice PISxxxxxxx"

Racco42 Sep 27th, 2017 (edited) 187 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-09-26: #locky email phishing camapign "Invoice PISNNNNNNN"
  2.  
  3. Email sample:
  4. ------------------------------------------------------------------------------------------------------------------
  5. From: AutoPosted PI Notifier <NoReplyMailbox@tpabc.com>
  6. To: [REDACTED]
  7. Date: Tue, 26 Sep 2017 13:38:30 -0200
  8. Subject: Invoice PIS3045283
  9.  
  10. Attachment: InvoicePIS3045283.7z -> PIS7972654.vbs
  11. ------------------------------------------------------------------------------------------------------------------
  12. - sender address is forged to look like "AutoPosted PI Notifier" <NoReplyMailbox@[Random domain]>
  13. - Subject is "Invoice PIS<7 digits>"
  14. - body of the email is empty
  15. - attached file "InvoicePIS<7 digits>.7z" contains file "PIS<7 digits>.vbs", a VBScript downloader which will download malware from
  16.  
  17. Download sites:
  18. http://camerawind.com/jkhguygv73
  19. http://envirotambang.com/jkhguygv73
  20. http://fianceevisa101.com/jkhguygv73
  21. http://fiancevisacover.com/jkhguygv73
  22. http://financeforautos.com/jkhguygv73
  23. http://fincasoroel.es/jkhguygv73
  24. http://fmarson.com/jkhguygv73
  25. http://formareal.com/jkhguygv73
  26. http://fwbcondo.com/jkhguygv73
  27. http://gaestehaus-im-vogelsang.de/jkhguygv73
  28. http://gbvm.nl/jkhguygv73
  29. http://geeks-online.de/jkhguygv73
  30. http://playbrief.info/p66/jkhguygv73
  31.  
  32. Malware
  33. - locky, offline .ykcol variant
  34. - VT: https://www.virustotal.com/en/file/ebc06b56785f32b5d80bab14ed518e3d6e189c925f6d54dc7805fc7e867a1273/analysis/1506495287/
  35. - HA: https://www.hybrid-analysis.com/sample/ebc06b56785f32b5d80bab14ed518e3d6e189c925f6d54dc7805fc7e867a1273?environmentId=100
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top