API tools faq
paste
Advertisement
Racco42

2017-09-27 Locky "Scanned image from MX-2600N"

Racco42
Sep 27th, 2017
3,390
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.98 KB | None | 0 0
raw download clone embed print report
  1. 2017-09-27: #locky email phishing campaign "Scanned image from MX-2600N"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------------
  5. From: <noreply@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Scanned image from MX-2600N
  8. Date: Wed, 27 Sep 2017 13:15:45 -0200
  9.  
  10. Reply to: noreply@[REDACTED]
  11. Device Name: Not Set
  12. Device Model: MX-2600N
  13. Location: Not Set
  14.  
  15. File Format: Adobe Acrobat Reader
  16. Resolution: 200dpi x 200dpi
  17.  
  18. Attached file is scanned image in PDF format.
  19. Document password:
  20. Creation date: Wed, 27 Sep 2017 13:15:45 -0200
  21.  
  22. Attachment: 20170927_572305.7z -> 20170927_386780.vbs
  23. ---------------------------------------------------------------------------------------------------------------------
  24. - sender email is forged to look like being sent from recipient's domain <noreply@[recepient's domain]>
  25. - subject is "Scanned image from MX-2600N"
  26. - attached file "20170927_<6 digits>.7z" contain file "20170927_<6 digits>.vbs", a VBScript downloader which will download malware from:
  27.  
  28. Download sites:
  29. http://aeaccting.com/d8743fgh
  30. http://asecontrids.com/d8743fgh
  31. http://ashapeforlife.com/d8743fgh
  32. http://ashtontan.com/d8743fgh
  33. http://avsaroglubisiklet.com/d8743fgh
  34. http://bhs-news.com/d8743fgh
  35. http://borcom.de/d8743fgh
  36. http://bosphorustekneleri.com/d8743fgh
  37. http://consultingfranquean.com/d8743fgh
  38. http://cortaestanciapolanco.com/d8743fgh
  39. http://crna-macka.com/d8743fgh
  40. http://dic-astra.com/d8743fgh
  41. http://gug-gummi.com/d8743fgh
  42. http://poemsan.info/p66/d8743fgh
  43. http://www.fasching-hallbergmoos.de/d8743fgh
  44.  
  45. Malware:
  46. - locky, offline .ykcol variant
  47. - SHA256: 3e55a7a405e4c4e4ad6d19296ac512d6c32441d5a65419cd116faa672b11963c, MD5: dd4d46b9612efc391469bba8553358b6
  48. - VT: https://www.virustotal.com/en/file/3e55a7a405e4c4e4ad6d19296ac512d6c32441d5a65419cd116faa672b11963c/analysis/1506531139/
  49. - HA: https://www.hybrid-analysis.com/sample/3e55a7a405e4c4e4ad6d19296ac512d6c32441d5a65419cd116faa672b11963c?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!