API tools faq
paste
Advertisement
Racco42

2017-09-05 Locky "New voice message"

Racco42
Sep 5th, 2017
5,007
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.89 KB | None | 0 0
raw download clone embed print report
  1. 2017-09-05: #locky email phishing campaign "New voice message"
  2.  
  3. Email sample:
  4. -------------------------------------------------------------------------------------------------------------------------
  5. From: "Voicemail Service" <vmservice@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: New voice message 14495013047 in mailbox 144950130471 from "14495013047" <2781148583>
  8. Date: Tue, 05 Sep 2017 17:58:10 +1000
  9.  
  10. Dear user:
  11.  
  12. just wanted to let you know you were just left a 0:24 long message (number 14495013047)
  13. in mailbox 144950130471 from "14495013047" <2781148583>, on Tue, 05 Sep 2017 17:58:10 +1000
  14. so you might want to <a href="http://grande-flora.nl/MSG000-00090.7z>check</a> it when you get a chance. Thanks!
  15.  
  16. --Voicemail Service
  17.  
  18. Attachment: MSG000-000685.7z -> "Invoice INV-000907.vbs"
  19. -------------------------------------------------------------------------------------------------------------------------
  20. - sender is "vmservice@[sender's domain]"
  21. - body is "New voice message <11 digits> in mailbox <12 digits> from "<11 digits>" <10 digits>"
  22. - body contain link that will download VBS downloader, same kind as the attached one
  23. - attached file "MSG000-000<3 digits>.7z" contains file "Invoice INV-000<3 digits>.vbs", a VBScript downloader which will download malware from one of the malware download sites:
  24.  
  25. Downloader download sites:
  26. http://adoption.tcs.org.sg/MSG000-00090.7z
  27. http://artdevinci.com/MSG000-00090.7z
  28. http://atlantik-ec.com/MSG000-00090.7z
  29. http://bravomobiliario.com/MSG000-00090.7z
  30. http://ciriledefrance.com/MSG000-00090.7z
  31. http://daniellloyd.com/MSG000-00090.7z
  32. http://dekritekunstenfotografie.nl/MSG000-00090.7z
  33. http://dna-sequencing.org/MSG000-00090.7z
  34. http://dynamicnoumea.com/MSG000-00090.7z
  35. http://grande-flora.nl/MSG000-00090.7z
  36. http://hepdesign.net/MSG000-00090.7z
  37. http://muebleslacomoda.com/MSG000-00090.7z
  38. http://viselaconstruccion.com/MSG000-00090.7z
  39. http://wazzuplive.com/MSG000-00090.7z
  40.  
  41. Malware download sites:
  42. http://agrourbis.com/876tYU6tg8e
  43. http://amatoi.com/876tYU6tg8e
  44. http://anstudio.it/876tYU6tg8e
  45. http://autoecolebeconcentre.com/876tYU6tg8e
  46. http://auto-ecolecoccinelle.com/876tYU6tg8e
  47. http://autoecolejeanluc.com/876tYU6tg8e
  48. http://bjp.co.id/876tYU6tg8e
  49. http://callt.co.uk/876tYU6tg8e
  50. http://capedorato.com/876tYU6tg8e
  51. http://domani.grol.ru/876tYU6tg8e
  52. http://ferienwohnung-schitter.at/876tYU6tg8e
  53. http://finnigans.org.uk/876tYU6tg8e
  54. http://gclubrace.info/p66/876tYU6tg8e
  55. http://huismartens.be/876tYU6tg8e
  56. http://mistresspenny.co.uk/876tYU6tg8e
  57. http://msanchez.com.au/876tYU6tg8e
  58. http://naturofind.org/p66/876tYU6tg8e
  59. http://pamplonarecados.com/876tYU6tg8e
  60. http://pidara.nl/876tYU6tg8e
  61. http://rccartrailers.com/876tYU6tg8e
  62. http://software-unlimited.at/876tYU6tg8e
  63. http://technicolor-tes.org/876tYU6tg8e
  64. http://xploramail.com/876tYU6tg8e
  65.  
  66. The malware is same as in "Invoice from Verizon" campaign https://pastebin.com/FGr47Z3E
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!