Advertisement
Racco42

2017-10-04 Locky "Copy of invoice ANNNNNNNNNN"

Oct 4th, 2017
4,594
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.06 KB | None | 0 0
  1. 2017-10-04: #locky email phishing campaign "Copy of invoice ANNNNNNNNNN. Please find your invoice attached."
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------
  5. From: online@screwfix.com
  6. To: [REDACTED]
  7. Subject: Copy of invoice A3229365915. Please find your invoice attached.
  8. Date: Wed, 04 Oct 2017 14:38:16 +0530
  9.  
  10. Dear customer
  11.  
  12. Thank you for shopping with Electricfix. A copy of your invoice is
  13. attached. If your invoice is not attached please email
  14. invoice@electricfix.com.
  15.  
  16. Order number: A3229365915
  17.  
  18. Forward planning:
  19. While we try our hardest to get your products to you in time and in
  20. perfect condition, we suggest that you don’t schedule any
  21. installation work until a few days after the expected delivery date,
  22. just in case you need to resolve any technical questions or order
  23. additional fittings if necessary.
  24.  
  25. Disclaimer:
  26. This e-mail and any attachments are confidential. If you are not the
  27. intended recipient, please contact us immediately on 03330 112 333
  28. (mobile friendly) and inform the sender. Please then delete the e-mail
  29. and do not disclose the contents to anyone.
  30.  
  31. Although we do scan outgoing e-mails for viruses, it is possible that
  32. a virus may have become attached and it is your responsibility to scan
  33. incoming e-mails.
  34.  
  35. Contact Us:
  36. Telephone: 03330 112 333 (mobile friendly) UK based contact centre
  37. Email: online@Electricfix.com
  38. Address: Screwfix Direct Ltd, Trade House, Mead Avenue, Yeovil, BA22
  39. 8RT
  40. Company Registration No 03006378 VAT No 232 5555 75
  41.  
  42. Attachment: InvoiceA3229365915.7z -> Invoice415336724312713286955666.vbs
  43. -----------------------------------------------------------------------------------------------------------------
  44. - sender is "online@screwfix.com"
  45. - subject is "Copy of invoice A<10 digits>. Please find your invoice attached."
  46. - attached file "InvoiceA<10 digits>.7z" contains file "Invoice<24 digits>.vbs", a VBScript downloader which will download malware from:
  47.  
  48. Download sites:
  49. http://cutwell.ca/8etyfh3ni
  50. http://derainlay.info/p66/8etyfh3ni
  51. http://ericweb.co.za/8etyfh3ni
  52. http://pciholog.ru/8etyfh3ni
  53. http://proteinmarker.com/8etyfh3ni
  54. http://rentwestq.com/8etyfh3ni
  55. http://schoensigns.com/8etyfh3ni
  56. http://scouting-bvb.nl/8etyfh3ni
  57. http://shopsshops.de/8etyfh3ni
  58. http://smarterbaby.com/8etyfh3ni
  59. http://spazioireos.it/8etyfh3ni
  60. http://tailer.it/8etyfh3ni
  61. http://tarimsalteknoloji.com/8etyfh3ni
  62. http://techknowlogix.net/8etyfh3ni
  63. http://tecnigrafite.com/8etyfh3ni
  64. http://turfschiploge.nl/8etyfh3ni
  65.  
  66. Updated:
  67. http://hwayou.com.tw/8etyfh3ni
  68. http://rocknsoulamerica.com/8etyfh3ni
  69. http://securmailbox.it/8etyfh3ni
  70.  
  71. Malware:
  72. - Locky ransomware, offlien ykcol version
  73. - SHA256: 7c88ec63f7ca11a22add9f77f47f7ac8f71e930b3dd24422940c28cc8fd22ac2, MD5: 3ba59430e3a75cf5c6ec1b7fcc5dfe33
  74. - VT: https://www.virustotal.com/file/7c88ec63f7ca11a22add9f77f47f7ac8f71e930b3dd24422940c28cc8fd22ac2/analysis/1507108536/
  75. - HA: https://www.reverse.it/sample/7c88ec63f7ca11a22add9f77f47f7ac8f71e930b3dd24422940c28cc8fd22ac2?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement