API tools faq
paste
Racco42

2016-09-13 Locky "Equipment receipts"

Racco42
Sep 13th, 2016
1,571
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.05 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-13 #locky email phishing campaign "Equipment receipts"
  2.  
  3. Email:
  4. -----------------------------------------------------------------------------------------
  5. From: "Marianne Price" <Price.245@talentstaffing.co.uk>
  6. To: [REDACTED]
  7. Subject: Equipment receipts
  8. Date: Tue, 13 Sep 2016 18:43:31 +0100
  9.  
  10. Good day [REDACTED], Ramona asked you to file the office equipment receipts.
  11. Here is the photocopying equipment receipts purchased last week.
  12.  
  13. Please send him the complete file as soon as you finish.
  14.  
  15. Best regards,
  16. Marianne Price
  17.  
  18. Attachment: "93cf94b54aa3.zip"
  19. -----------------------------------------------------------------------------------------
  20. - sender differs between emails
  21. - subject is "Equipment receipts"
  22. - attached file "<random hexa chars>.zip" contain two identical file "Equipment receipts <random hexa chars>.wsf" and "Equipment receipts <random hexa chars> (copy).wsf"; a JScript downloaders
  23.  
  24. Download site:
  25. http://aborik.net/acvzm
  26. http://adzebury.com/frsf327
  27. http://duelrid.com/h03rixi
  28. http://duelrid.com/h03rixif
  29. http://latexuchee.net/c4i03t
  30. http://maydayen.net/e5tjm0
  31. http://pradkevyn.net/5vofqf5o
  32.  
  33. Malware:
  34. - encoded on download, filesize 188932 bytes
  35. 3a03fea007ae2a2225ae21d5d410b79c38710c6a3c71d389d9e302b4d20fa540 http___aborik.net_acvzm
  36. 7246e9f5746b7473c895b49dfdc635f69c16315e977ada8d79b2e9af346b55d4 http___adzebury.com_frsf327
  37. 8dd546ffd37838c2897e9873ac54162945971c14601996146ed026ed43c3bc6f http___duelrid.com_h03rixi
  38. fe2001ed80d474ab7b7885fe47a8c8857458fb26114dce512fed1143a7482e49 http___latexuchee.net_c4i03
  39. 14970989e0e47ca39288ccf8347cfd7450fbfcd1ce656102e73473deb4ccfc2f http___maydayen.net_e5tjm0
  40. 59ca81a5b283a3bc2fb5b1e486ea48ccc8a32eb08aa8d0fc1b5381180a118b21 http___pradkevyn.net_5vofqf5o
  41. - decoded
  42. e4be5694a2bd75847d5ffdebe57e2cf62e9e789562238eb5aa28e73beb93f81e http___aborik.net_acvzm
  43. b13a0fe24759a455f4454f235d514b4c7ff77673f26f8dee333f3232d1577ca4 http___duelrid.com_h03rixi
  44. a523f7064ebcccc3fe0e74e3f920bdd862e8d678bfba3a442e21a22e15b104e9 http___latexuchee.net_c4i03
  45. 3e5d49dbffefc1dcea7ea18ab1e84abbf8b75cd1fff82047b8cca592d7c3f7c2 http___maydayen.net_e5tjm0
  46. a289f1aef0e4860f47ce91d9ef24ec297c051842ce6b7c5ee0d7fa6ea8629184 http___pradkevyn.net_5vofqf5o
  47.  
  48. - executed by "rundll32.exe %TEMP%\DZMWET~1.DLL,qwerty 323"
  49.  
  50. https://www.reverse.it/sample/f19e99b6cf11c943f728e7f4e050e36aa2ce20372e9112aea85eea471f89dd42?environmentId=100
  51. https://www.reverse.it/sample/95412ee731cc1c2f15fd8735bf6dec530f62554bf24b4c295e3cac699b66edb0?environmentId=100
  52. https://www.reverse.it/sample/c98b72eec6b71750f5676271093b92b7d9e51789e7f07721ffef8b2f4e5010c2?environmentId=100
  53. https://www.reverse.it/sample/355a2076f6330df0fa8e9f86611d17c0ea390c49da485cf75b2b7ec81ca3ca81?environmentId=100
  54. https://www.reverse.it/sample/0d5b4f605bc5cdc9e68f3f44459a684eba34bfe5944b6a6349745f7c95f449e0?environmentId=100
  55. https://www.reverse.it/sample/84a00ba7ef330263693960737c3f125b6cd34c1202c02bd470086cbfa0a79ad1?environmentId=100
  56. https://www.reverse.it/sample/c9a6459849d44e2103eb30ab22eab8854de426178b149bd01fa7a2dc7119e522?environmentId=100
  57. https://www.reverse.it/sample/eb4af1506b554820f64039e49c8c058843da47ab59ecc05be8a5aa1a1981e4d2?environmentId=100
  58. https://www.reverse.it/sample/c001a071cf6aca6a7fd732b73a0b08e224de36f6adad4fb59c750cc327c736b6?environmentId=100
  59. https://www.reverse.it/sample/4449c71a096c4cd9947a7247e3432552fb6ae9afd04e2a4b6a427beaf24baff0?environmentId=100
  60. https://www.reverse.it/sample/2e5123d11e1832a65cb6823229ba49fccd0ec82229397abae9579ca23b881b88?environmentId=100
  61. https://www.reverse.it/sample/504eefd7e9683588b1107700531668598b367215664a519fba2ec5ff4ed5014e?environmentId=100
  62. https://www.reverse.it/sample/21c9fd5e461e8f08483e6ca792b56d069c38f68cc51c00537937d2dab16d4d3d?environmentId=100
  63. https://www.reverse.it/sample/6059f4ba9eb66656a7fac285577e53fde2c14ed665b4f4a2f5218ffdf80313ec?environmentId=100
  64. https://www.reverse.it/sample/ebb9658ea2447404b5c84f558f6194fb8f379fdaad6a1b8cb550cebddeda03f4?environmentId=100
  65.  
  66. C2:
  67. 51.255.105.2:80/data/info.php
  68. 95.85.29.208:80/data/info.php
  69. yofkhfskdyiqo.biz:80/data/info.php [69.195.129.70]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!