API tools faq
paste
Racco42

2016-11-29 Locky "[Scan] 201611dd hh:mm:ss"

Racco42
Nov 30th, 2016
1,504
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.89 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-29 #locky email phishing campaign "[Scan] 201611dd hh:mm:ss"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------
  5. From: "OPHELIA DESAVIGNY" <ophelia.desavigny.23147@walkerspartnership.co.uk>
  6. To: [REDACTED]
  7. Subject: [Scan] 2016-1130 05:29:50
  8. Date: Wed, 30 Nov 2016 05:29:50 +0530
  9.  
  10. --
  11. Sent with Genius Scan for iOS.
  12.  
  13. Attachment: "2016-1130 05-29-50.zip" -> "2016-1125 14-23-13.vbs"
  14. -----------------------------------------------------------------------------------------------------------------
  15. - sender varies between emails
  16. - subject is "[Scan] 201611<29|30> <time in 24hours hh:mm:ss format>"
  17. - attached file "2016-11<29|30> <time in 24hours hh:mm:ss format>.zip" contains file "2016-11<29|30> <time in 24hours hh:mm:ss format>.vbs", a VBScript downloader
  18.  
  19. Download sites:
  20. http://2012.rikschataxi.ch/987t67g
  21. http://betagmino.net/987t67g
  22. http://rafaelleon.es/987t67g
  23. http://raivel.pt/987t67g
  24. http://rao24gio.com/987t67g
  25. http://raycon.ph/987t67g
  26. http://razborka-vigonka.ru/987t67g
  27. http://receptoare-satelit.ro/987t67g
  28. http://reliatemp.net/987t67g
  29. http://remarkable-frames.com/987t67g
  30. http://remstirmash42.ru/987t67g
  31. http://renklerle.com/987t67g
  32. http://rentalpark.com.ar/987t67g
  33. http://rhodemlogic.com/987t67g
  34. http://rightone.ie/987t67g
  35. http://ripasso.nl/987t67g
  36. http://rmtnet.co.uk/987t67g
  37. http://rnitechnology.com/987t67g
  38. http://roadtex.ro/987t67g
  39. http://romanstars.com/987t67g
  40. http://room8008.com/987t67g
  41. http://rotakin.org/987t67g
  42. http://royaloakripon.co.uk/987t67g
  43. http://rueegger.ch/987t67g
  44. http://ruf.com.ar/987t67g
  45. http://ryrszs.com/987t67g
  46. http://sabinemerz.nl/987t67g
  47. http://sadeqmedia.com/987t67g
  48. http://sagaoil.ro/987t67g
  49. http://saista.jp/987t67g
  50. http://salemwitchcat.com/987t67g
  51. http://samdef.org/987t67g
  52. http://samviethan.com/987t67g
  53. http://sandinthesky.com/987t67g
  54. http://sarawakcars.com/987t67g
  55. http://sawadi.at/987t67g
  56. http://sazonperuana.cl/987t67g
  57. http://schjtx.com/987t67g
  58. http://schofieldandsmith.co.uk/987t67g
  59. http://scope-t.com/987t67g
  60. http://sdntqg.com/987t67g
  61. http://spunbaku.com/987t67g
  62.  
  63. Malware
  64. - encoded on download, SHA256 913ef64659ae5f5efc8c5d792326a663c4d545d9b7452affee265984c74ae7e5, MD5 ae88127ed9f8451f730312cbbe44e91d
  65. - decoded SHA256 4580a67b6eedcf233f9c74723635d89f29ccf1cc58fe0c12ef0b8aa80e38aa73, MD5 c7b49ae21e22eab80c938e4a74d1bea6
  66. - executed by "rundll32.exe %TEMP%\<filename>.342,aqua"
  67. - sample
  68. https://www.virustotal.com/file/4580a67b6eedcf233f9c74723635d89f29ccf1cc58fe0c12ef0b8aa80e38aa73/analysis/1480482005/
  69. https://www.hybrid-analysis.com/sample/1702b64a46c75ab129a7ecbed947f4491004963efda8aa3b8a2ac730ac1490cb?environmentId=100
  70.  
  71. C2:
  72. POST http://95.213.195.123:80/information.cgi
  73. POST http://91.142.90.61:80/information.cgi
  74.  
  75. hqngufxf.info
  76. smxqfps.biz
  77. eydyupykxdss.info
  78. mwdbfjyjvu.xyz
  79. ifsmpyiovb.info
  80. rmiqikrhntdhwub.biz
  81. gxqhtawh.org
  82. tscfgoforiajo.pw
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!