API tools faq
paste
Racco42

2016-09-13 Locky "Accounts Documentation - Invoices"

Racco42
Sep 13th, 2016
1,670
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.19 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-13 #locky email phishing campaign "Accounts Documentation - Invoices"
  2.  
  3. Email:
  4. ---------------------------------------------------------------------------------------------------------
  5. From: <CreditControl@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Accounts Documentation - Invoices
  8. Date: Tue, 13 Sep 2016 11:22:52 +0200
  9.  
  10.  
  11. Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
  12.  
  13. If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
  14. Alternatively if you do not know the name of the Credit Controller you can contact us at:
  15.  
  16. CreditControl@[REDACTED]
  17.  
  18. Please do not reply to this E-mail as this is a forwarding address only.
  19.  
  20. Attachment: "~9605040057451.zip"
  21. ---------------------------------------------------------------------------------------------------------
  22. - sender address is CreditControl@<recepient's domain>
  23. - subject "Accounts Documentation - Invoices"
  24. - attached file "~<random number>.zip contains file "<random>.hta" which contains a JScript downloader
  25.  
  26. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download):
  27. http://agileprojects.ro/vdG76VUY76rjnu
  28. http://allcateringservices.in/vdG76VUY76rjnu
  29. http://anatoliamaket.com/vdG76VUY76rjnu
  30. http://aycilinsaat.com/vdG76VUY76rjnu
  31. http://biogreentech.in/vdG76VUY76rjnu
  32. http://cardimax.com.ph/vdG76VUY76rjnu
  33. http://cbautocare.com.au/vdG76VUY76rjnu
  34. http://citycollection.com.tr/vdG76VUY76rjnu
  35. http://cloudrepublic.com.au/vdG76VUY76rjnu
  36. http://cyndiandthedrums.com/vdG76VUY76rjnu
  37. http://dashingleather.com/vdG76VUY76rjnu
  38. http://eaglecorp.nl/vdG76VUY76rjnu
  39. http://factumtech.com/vdG76VUY76rjnu
  40. http://fashionpark-nakamichi.com/vdG76VUY76rjnu
  41. http://goldenladywedding.com/vdG76VUY76rjnu
  42. http://iandiinternational.com/vdG76VUY76rjnu
  43. http://icloudrepublic.com/vdG76VUY76rjnu
  44. http://jmetalloysllp.com/vdG76VUY76rjnu
  45. http://linosys.info/vdG76VUY76rjnu
  46. http://livewebsol.com/vdG76VUY76rjnu
  47. http://mimiphotography.com.au/vdG76VUY76rjnu
  48. http://nimantha.16mb.com/vdG76VUY76rjnu
  49. http://perfectfixuae.com/vdG76VUY76rjnu
  50. http://platformarchitects.com.au/vdG76VUY76rjnu
  51. http://rapiderbariyer.com/vdG76VUY76rjnu
  52. http://safiazsports.com/vdG76VUY76rjnu
  53. http://scottygooding.com.au/vdG76VUY76rjnu
  54. http://shagunproperty.com/vdG76VUY76rjnu
  55. http://sowhatresearch.com.au/vdG76VUY76rjnu
  56. http://stylecode.co.in/vdG76VUY76rjnu
  57. http://sulyok-t.hu/vdG76VUY76rjnu
  58. http://synergywaterproofing.com.au/vdG76VUY76rjnu
  59. http://thepodiatrycentre.com.au/vdG76VUY76rjnu
  60. http://tranzporthub.com/vdG76VUY76rjnu
  61. http://tscbearings.in/vdG76VUY76rjnu
  62. http://Ungelie.com/vdG76VUY76rjnu
  63. http://walkerandhall.co.uk/vdG76VUY76rjnu
  64. http://webdesignselite.com/vdG76VUY76rjnu
  65. http://www.alfajerdecor.com/vdG76VUY76rjnu
  66. http://www.jmetalloysllp.com/vdG76VUY76rjnu
  67. http://www.mehrabtech.ae/vdG76VUY76rjnu
  68. http://www.pstimes.com/vdG76VUY76rjnu
  69. http://yesiloglugrup.com/vdG76VUY76rjnu
  70.  
  71. UPDATE:
  72. http://adasurgical.com/vdG76VUY76rjnu
  73. http://annurmaheshphotography.in/vdG76VUY76rjnu
  74. http://flexfitent.com/vdG76VUY76rjnu
  75. http://micaraland.com/vdG76VUY76rjnu
  76. http://mylespollard.com.au/vdG76VUY76rjnu
  77. http://onlinepurohit.com/vdG76VUY76rjnu
  78. http://sankyo-web.com/vdG76VUY76rjnu
  79. http://tipsforall.in/vdG76VUY76rjnu
  80. http://voihaircuts.com.au/vdG76VUY76rjnu
  81.  
  82. Malware:
  83. - encoded on download, SHA256 53ef735d293aac618317c0e34ad4d8bbbd83b98fde13159df87e24047c726293, filesize 163840 bytes
  84. - decoded SHA256 5c4b6cf06bea41cd231d9131c6958e95664f72b65c124461fb879b866dde963f
  85. - executed by "rundll32.exe %TEMP%\OUJbeLSyX1.dll,qwerty"
  86.  
  87. https://www.reverse.it/sample/16a3fbd434d9c2e98bd514ca48b40da499cf788a2ca62fdcda75003e0e969086?environmentId=100
  88. https://www.reverse.it/sample/4a0e0785a29ea5eda7ffb59ec5a7abfcd8ab1ab4d9f571a0d88126bb7bdd9ea7?environmentId=100
  89. https://www.reverse.it/sample/f8310d5b10c1883db1d253679911fe603bab32b64c8ad521a37b1a1916712ff8?environmentId=100
  90. https://www.reverse.it/sample/0371ac859a06d91a6c44000261c1ff3cc7c7bed0334fe7702627eaaa4e6e28dc?environmentId=100
  91. https://www.reverse.it/sample/3d91a6ffed8b038363a0ead0f8985d1bdf88ba543aff0bcab048819d70455073?environmentId=100
  92.  
  93. C2:
  94. no C2 communication
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!