API tools faq
paste
Racco42

2016-12-05 Locky "Emailing" / no subject

Racco42
Dec 5th, 2016
1,588
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.03 KB | None | 0 0
raw download clone embed print report
  1. 2016-12-05 Locky email phishing campaigns "Emailing: _xxxx_xxxx" / "No subject"
  2. http://blog.dynamoo.com/2016/12/malware-spam-emailing-9376924272-no.html
  3.  
  4. Email sample (Emailing: _xxxx_xxxx):
  5. --------------------------------------------------------------------------------------------------------------------
  6. From: "Marina" <Marina.jeffeaux91@klachurch.org>
  7. To: [REDACTED]
  8. Subject: Emailing: _0828817_36073220
  9. Date: Mon, 05 Dec 2016 15:24:01 +0530
  10.  
  11. Your message is ready to be sent with the following file or link
  12. attachments:
  13.  
  14. _0828817_36073220
  15.  
  16. Note: To protect against computer viruses, e-mail programs may prevent
  17. sending or receiving certain types of file attachments. Check your e-mail
  18. security settings to determine how attachments are handled.
  19.  
  20. Attachment: _0828817_36073220.xls
  21. --------------------------------------------------------------------------------------------------------------------
  22. - sender address varies between emails
  23. - subject is "Emailing: _<digits>_<digits>"
  24. - attached file "_<digits>_<digits>.xls" (same as subject) is a Microsoft Word file containing a macro that will download malware
  25.  
  26. Email sample (no subject):
  27. --------------------------------------------------------------------------------------------------------------------
  28. From: "Harold frisby" <Harold.frisby4@printprinters.com>
  29. To: [REDACTED]
  30. Subject: No subject
  31. Date: Mon, 05 Dec 2016 02:39:06 -0700
  32.  
  33. Attachment: "20161205023906924885483.xls"
  34. --------------------------------------------------------------------------------------------------------------------
  35. - sender address varies between emails
  36. - message has empty subject or "No Subject"
  37. - email body is empty
  38. - attached file "20161205<digits>.xls" is a Microsoft Word file containing a macro that will download malware
  39.  
  40. Download sites:
  41. http://aetech-solutions.com/87t34f
  42. http://amcc.fr/87t34f
  43. http://andrewsassociates.org/87t34f
  44. http://angiebundy.com/87t34f
  45. http://antelope.co.uk/87t34f
  46. http://bioperson.es/87t34f
  47. http://buhu5.ru/87t34f
  48. http://cafe-bg.com/87t34f
  49. http://communicore.biz/87t34f
  50. http://dachbud.slask.pl/87t34f
  51. http://davetoll.com/87t34f
  52. http://dcareug.com/87t34f
  53. http://djelixir.com/87t34f
  54. http://elevenrooms.se/87t34f
  55. http://fm1111.fr/87t34f
  56. http://griptrix.com/87t34f
  57. http://kamico.net/87t34f
  58. http://kelbud.pl/87t34f
  59. http://kh2.co.uk/87t34f
  60. http://laferwear.com/87t34f
  61. http://masterstudio.org/87t34f
  62. http://milano.koscian.pl/87t34f
  63. http://pablopaz.com/87t34f
  64. http://paradiseinfiji.com/87t34f
  65. http://rongdaistudio.com/87t34f
  66. http://rsaf.cz/87t34f
  67. http://sevenseas.lk/87t34f
  68. http://soulscooter.com/87t34f
  69. http://srivasavi.mksystems.co.in/87t34f
  70. http://ssivendorinformation.com/87t34f
  71. http://stonerinsurance.com/87t34f
  72. http://subys.com/87t34f
  73. http://tppsk.marcinczaja.pl/87t34f
  74. http://tybor.hu/87t34f
  75. http://weegee.fr/87t34f
  76. http://www.riojadental.com/87t34f
  77. http://www.stavros.ca/87t34f
  78. http://zealcon.com/87t34f
  79.  
  80. UPDATED:
  81. http://analypia.com/87t34f
  82. http://braindouble.com/87t34f
  83. http://cstcarpenteria.it/87t34f
  84. http://denva-art.com/87t34f
  85. http://eng.camaix.de/87t34f
  86. http://facerecognition.com.ba/87t34f
  87. http://flax-fiber.com/87t34f
  88. http://goodgate.tv/87t34f
  89. http://jesperdk.com/87t34f
  90. http://kathollowell.com/87t34f
  91. http://ktlelektro.cz/87t34f
  92. http://mikegranditsky.com/87t34f
  93. http://peopleprofit.in/87t34f
  94. http://polgarorvasad.hu/87t34f
  95. http://rondurkin.com/87t34f
  96. http://slantmusic.net/87t34f
  97. http://sparky.com/87t34f
  98. http://test.grafixx.org/87t34f
  99.  
  100. UPDATE2:
  101. http://deminico.com/87t34f
  102. http://sublimeshop.co.uk/87t34f
  103. http://waat.co.uk/87t34f
  104.  
  105.  
  106. Malware:
  107. - encoded on download, SHA256 c622a8e1a12f12134b3df5e145ea6f4e2d9d642fa08d2a59f1cff05b177558d4, MD5 08d478fba01b4ecd9bb0f1787869fcc4
  108. - decoded SHA256 7acbf2edb7b7435e21cda70b6a0b7d3fdaed248b63d27208b3b1ca38a18c4a1d, MD5 dbacb9edc7b168e65b2e28f59218850b
  109. - sample https://malwr.com/analysis/MGI4ZDdlNDZkN2RjNGM3YmI2YjYwOTNhZTc2MTA2NTc/
  110. - encrypted files have .osiris extension
  111.  
  112. C2:
  113. POST http://91.142.90.61/checkupdate
  114. POST http://185.82.217.28/checkupdate
  115. POST http://195.19.192.99/checkupdate
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!