Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-06 #locky email phishing campaign "Suspected Purchases"
- Email sample (sender address varies)
- -----------------------------------------------------------------------------------------------
- From: "Angelica Brewer"
- To: [REDACTED]
- Subject: Suspected Purchases
- Dear [REDACTED],
- We have suspected irregular purchases from the company's account.
- Please take a look at the attached account balance to see the purchase history.
- Best Regards,
- Angelica Brewer
- Support Manager
- ----------------------------------------------------------------------------------------------
- Attached file "<random_hexachars>.zip" contains 2 identical files "FAAD4310 Suspected_Purchases_PDF.js" and "FAAD4310 Suspected_Purchases_PDF - 1.js"; a JScript donwloaders
- Download sites:
- http://canonsupervideo4k.ws/2sye3alf
- http://darkestzone2.wang/32rdw52w
- http://donttouchmybaseline.ws/89rwr
- http://listofbuyersus.co.in/jy5fkrp
- http://onlybest76.xyz/pkaiqr9
- http://tradesmartcoin.xyz/rwevvv3a
- http://videoconvertermac.in/t8qmxptm
- http://virmalw.name/uw2vyhpd
- Malware encoded on download, filesize 166,404 bytes
- e3527c5883bdac9d5556667cdbf409f577b9eadda42e4300f2bd9db2293f753e http___canonsupervideo4k.ws_2sye3alf
- 3704944218259b9f0ac89ed7c408c426cb69f6dc66f8b8db1eec5d3d7741fcc0 http___darkestzone2.wang_32rdw52w
- dec2186e662576b9d0fea534e02aef21e645ab4e97bee27a69d4daca56b3d733 http___donttouchmybaseline.ws_89rwr
- 06cb691f03d72984ae06f005700af6712930d082b9bfe7c253c4212437a526c0 http___tradesmartcoin.xyz_rwevvv3a
- f56e3155b640b83ba0243018b5d0247535a0451bce58ead35b72a53f5a37c9df http___virmalw.name_uw2vyhpd
- https://www.reverse.it/sample/54f736984e67684355e23b711982e21e9a0911cc552b24d4d8deac191706eb9d?environmentId=100
- https://www.reverse.it/sample/993159d036589d18b0bdb4e3de2dbd2c1f94ccfe58280dcc1ac736b80409fcf9?environmentId=100
- https://www.reverse.it/sample/480a45cbcd693474cb128c2b4552b40453dc4b5fe8002bf49968197a3bcfb735?environmentId=100
- https://www.reverse.it/sample/5ffda2e7ddae7503d56a53980ef0c3b0574eff9322d219dba484e93303dfe4e9?environmentId=100
- https://www.reverse.it/sample/ebd957bff116879685fd77ae6feaac53c1987c201b1604e831607f177cbb72e7?environmentId=100
- executed by "rundll32.exe %TEMP%\xxxxxxx.DLL,qwerty 323"
- C2:
- 85.154.15.150:80/data/info.php
- 185.162.8.101:80/data/info.php
- 91.211.119.71:80/data/info.php
- 158.255.6.109:80/data/info.php
- gsejeeshdkraota.org/data/info.php [188.120.232.55]
- mvvdhnix.biz/data/info.php [52.0.217.44]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement