Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-12 #pony email phishing campaign "Image / Photo / Photos / Picture / Document "
- Email sample:
- ---------------------------------------------------------------------------------------------
- From: "Simone" <Simone0751@packstation.de>
- To: "filiale@packstation.de" <filiale@packstation.de>
- Subject: Picture
- Date: Mon, 12 Sep 2016 06:17:02 -0700
- Attachment: PC_20160830_6_83_4_Pro.zip
- ---------------------------------------------------------------------------------------------
- - Sender address is forged to look like email is coming from recipient's domain
- - Subject is "Image", "Photo", "Photos", "Picture" or "Document"
- - email body is empty
- - Attachment named "[DC|IG|PC|PH|WP]_20160830_<number>_<number>_<number>_Pro.zip" contains file "<random chars>.wsf" a JScript downloader
- Download sites (actual URLs have suffix ?<random>=<random> which does not influence download):
- http://abcdraw.biz/8fh34f3
- http://adasurgical.com/7g6bubt7v
- http://adss30.net/8fh34f3
- http://agileprojects.ro/7g6bubt7v
- http://allcateringservices.in/7g6bubt7v
- http://anatoliamaket.com/7g6bubt7v
- http://annurmaheshphotography.in/7g6bubt7v
- http://ativa3.tempsite.ws/8fh34f3
- http://aycilinsaat.com/7g6bubt7v
- http://bangbang55.com/8fh34f3
- http://biogreentech.in/7g6bubt7v
- http://cardimax.com.ph/7g6bubt7v
- http://cbautocare.com.au/7g6bubt7v
- http://citycollection.com.tr/7g6bubt7v
- http://clickhubli.com/8fh34f3
- http://clickroses.com/8fh34f3
- http://cloudrepublic.com.au/7g6bubt7v
- http://craskart.com/7g6bubt7v
- http://crazycreations.in/8fh34f3
- http://cyndiandthedrums.com/7g6bubt7v
- http://dashingleather.com/7g6bubt7v
- http://demo.hubliclick.in/8fh34f3
- http://eaglecorp.nl/7g6bubt7v
- http://files.mostafaahmadi.ir/8fh34f3
- http://flexfitent.com/7g6bubt7v
- http://gift2belgaum.com/8fh34f3
- http://goldenladywedding.com/7g6bubt7v
- http://gunturnayeebrahminemployees.com/8fh34f3
- http://herosoft.biz/8fh34f3
- http://hostit.co.in/8fh34f3
- http://iandiinternational.com/7g6bubt7v
- http://icloudrepublic.com/7g6bubt7v
- http://jmetalloysllp.com/7g6bubt7v
- http://kitsgnt.com/8fh34f3
- http://linosys.info/7g6bubt7v
- http://livewebsol.com/7g6bubt7v
- http://mimiphotography.com.au/7g6bubt7v
- http://mottofotograf.com/8fh34f3
- http://mylespollard.com.au/7g6bubt7v
- http://mysoregiftsflowers.com/8fh34f3
- http://npinfosoft.16mb.com/8fh34f3
- http://nysekolintsika.mg/8fh34f3
- http://onlinepurohit.com/7g6bubt7v
- http://partyeazy.com/8fh34f3
- http://platformarchitects.com.au/7g6bubt7v
- http://platforms-root-technologies.com/8fh34f3
- http://pmlojistik.com/8fh34f3
- http://rapiderbariyer.com/7g6bubt7v
- http://safiazsports.com/7g6bubt7v
- http://samssara.com/8fh34f3
- http://sasmgs.org/8fh34f3
- http://scottygooding.com.au/7g6bubt7v
- http://scpolytechnic.com/8fh34f3
- http://site1382371826.provisorio.ws/8fh34f3
- http://sowhatresearch.com.au/7g6bubt7v
- http://supperuploadtestspeed.ws/7g6bubt7v
- http://syamasahithi.com/8fh34f3
- http://synergyconnect.in/8fh34f3
- http://synergywaterproofing.com.au/7g6bubt7v
- http://technometics.com/8fh34f3
- http://thepodiatrycentre.com.au/7g6bubt7v
- http://tranzporthub.com/7g6bubt7v
- http://Ungelie.com/7g6bubt7v
- http://utsavi.net/7g6bubt7v
- http://vajrammatrimony.com/8fh34f3
- http://walkerandhall.co.uk/7g6bubt7v
- http://wamasoftware.com/8fh34f3
- http://websamrat.in/8fh34f3
- http://www.alfajerdecor.com/7g6bubt7v
- http://www.ausaf.pk/8fh34f3
- http://www.jmetalloysllp.com/7g6bubt7v
- http://www.mehrabtech.ae/7g6bubt7v
- http://www.pstimes.com/7g6bubt7v
- http://www.rajashekharkubasad.com/8fh34f3
- http://www.villakeratea.it/8fh34f3
- http://yesiloglugrup.com/7g6bubt7v
- Malware:
- - http://***/8fh34f3 = #pony
- - encoded on download, SHA256 c01e710ca89fd333bf87a518baa78a9420c997993546bf518cf712248188bd79, filesize 240944 bytes
- - decoded b88e84d9c7c407c7bad40777e87413628d8786af643d1581aa9aa82209751fd7
- https://www.reverse.it/sample/36435b4403482ca5f199bcb841e3dd7da0f024dace3ef5c8bc599e4fb1df494c?environmentId=100
- https://www.reverse.it/sample/1547186cf2b0d173d8473948db987eca964a2269f5e0642bb3a3f7e296fa9c62?environmentId=100
- https://www.reverse.it/sample/93c4c426a2fb8d4d1a5e81a2bd61f677df95ce1db5da989609de3b103d71c4e3?environmentId=100
- https://www.reverse.it/sample/38fe885783e328b8d0e2b8474da66311d122d8d136296a37f1c0fdf8dec23246?environmentId=100
- https://www.reverse.it/sample/897c8f7e1eaf92a2b93f30cad89489f92a75afaa463ab2fb16882b9803a7ad7c?environmentId=100
- https://www.reverse.it/sample/79031d3761ee7f23e42323abd960ec2132b469aad1dd81690f89c41aa4ccfe70?environmentId=100
- - http://***/7g6bubt7v = #locky
- - encoded on download, SHA 95332332374ce3d242cbe1a693b9d315972b6aa5e266bcab3deb1ec441ee0f10, filesize 159744 bytes
- - decoded bbfb4c0bbae915cc719325970c0cc9e9bf144d96043b9cc7c18a328a2e69a2c5
- https://www.reverse.it/sample/b6b98bf9ddcb6557b7c789b17954714ddd0c9ea932b9b5efebca01b7853a9446?environmentId=100
- https://www.reverse.it/sample/b16c5558ccc93c67562d4a4112f0b36bdb5ab8fd09e7ea415110f300a9c0f5cc?environmentId=100
- https://www.reverse.it/sample/0a7c05644aa12298952157817f9757bf48bb08b17ec1285c35276d644fc93aee?environmentId=100
Add Comment
Please, Sign In to add comment