Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-12-05 Locky email phishing campaigns "Emailing: _xxxx_xxxx" / "No subject"
- http://blog.dynamoo.com/2016/12/malware-spam-emailing-9376924272-no.html
- Email sample (Emailing: _xxxx_xxxx):
- --------------------------------------------------------------------------------------------------------------------
- From: "Marina" <Marina.jeffeaux91@klachurch.org>
- To: [REDACTED]
- Subject: Emailing: _0828817_36073220
- Date: Mon, 05 Dec 2016 15:24:01 +0530
- Your message is ready to be sent with the following file or link
- attachments:
- _0828817_36073220
- Note: To protect against computer viruses, e-mail programs may prevent
- sending or receiving certain types of file attachments. Check your e-mail
- security settings to determine how attachments are handled.
- Attachment: _0828817_36073220.xls
- --------------------------------------------------------------------------------------------------------------------
- - sender address varies between emails
- - subject is "Emailing: _<digits>_<digits>"
- - attached file "_<digits>_<digits>.xls" (same as subject) is a Microsoft Word file containing a macro that will download malware
- Email sample (no subject):
- --------------------------------------------------------------------------------------------------------------------
- From: "Harold frisby" <Harold.frisby4@printprinters.com>
- To: [REDACTED]
- Subject: No subject
- Date: Mon, 05 Dec 2016 02:39:06 -0700
- Attachment: "20161205023906924885483.xls"
- --------------------------------------------------------------------------------------------------------------------
- - sender address varies between emails
- - message has empty subject or "No Subject"
- - email body is empty
- - attached file "20161205<digits>.xls" is a Microsoft Word file containing a macro that will download malware
- Download sites:
- http://aetech-solutions.com/87t34f
- http://amcc.fr/87t34f
- http://andrewsassociates.org/87t34f
- http://angiebundy.com/87t34f
- http://antelope.co.uk/87t34f
- http://bioperson.es/87t34f
- http://buhu5.ru/87t34f
- http://cafe-bg.com/87t34f
- http://communicore.biz/87t34f
- http://dachbud.slask.pl/87t34f
- http://davetoll.com/87t34f
- http://dcareug.com/87t34f
- http://djelixir.com/87t34f
- http://elevenrooms.se/87t34f
- http://fm1111.fr/87t34f
- http://griptrix.com/87t34f
- http://kamico.net/87t34f
- http://kelbud.pl/87t34f
- http://kh2.co.uk/87t34f
- http://laferwear.com/87t34f
- http://masterstudio.org/87t34f
- http://milano.koscian.pl/87t34f
- http://pablopaz.com/87t34f
- http://paradiseinfiji.com/87t34f
- http://rongdaistudio.com/87t34f
- http://rsaf.cz/87t34f
- http://sevenseas.lk/87t34f
- http://soulscooter.com/87t34f
- http://srivasavi.mksystems.co.in/87t34f
- http://ssivendorinformation.com/87t34f
- http://stonerinsurance.com/87t34f
- http://subys.com/87t34f
- http://tppsk.marcinczaja.pl/87t34f
- http://tybor.hu/87t34f
- http://weegee.fr/87t34f
- http://www.riojadental.com/87t34f
- http://www.stavros.ca/87t34f
- http://zealcon.com/87t34f
- UPDATED:
- http://analypia.com/87t34f
- http://braindouble.com/87t34f
- http://cstcarpenteria.it/87t34f
- http://denva-art.com/87t34f
- http://eng.camaix.de/87t34f
- http://facerecognition.com.ba/87t34f
- http://flax-fiber.com/87t34f
- http://goodgate.tv/87t34f
- http://jesperdk.com/87t34f
- http://kathollowell.com/87t34f
- http://ktlelektro.cz/87t34f
- http://mikegranditsky.com/87t34f
- http://peopleprofit.in/87t34f
- http://polgarorvasad.hu/87t34f
- http://rondurkin.com/87t34f
- http://slantmusic.net/87t34f
- http://sparky.com/87t34f
- http://test.grafixx.org/87t34f
- UPDATE2:
- http://deminico.com/87t34f
- http://sublimeshop.co.uk/87t34f
- http://waat.co.uk/87t34f
- Malware:
- - encoded on download, SHA256 c622a8e1a12f12134b3df5e145ea6f4e2d9d642fa08d2a59f1cff05b177558d4, MD5 08d478fba01b4ecd9bb0f1787869fcc4
- - decoded SHA256 7acbf2edb7b7435e21cda70b6a0b7d3fdaed248b63d27208b3b1ca38a18c4a1d, MD5 dbacb9edc7b168e65b2e28f59218850b
- - sample https://malwr.com/analysis/MGI4ZDdlNDZkN2RjNGM3YmI2YjYwOTNhZTc2MTA2NTc/
- - encrypted files have .osiris extension
- C2:
- POST http://91.142.90.61/checkupdate
- POST http://185.82.217.28/checkupdate
- POST http://195.19.192.99/checkupdate
Add Comment
Please, Sign In to add comment