API tools faq
paste
Advertisement
Racco42

2016-09-22 Locky "Package #DHxxxxxxx"

Racco42
Sep 22nd, 2016
1,854
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.76 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-22 #locky email phishing campaign "Package #DHxxxxxx"
  2.  
  3. Email:
  4. -----------------------------------------------------------------------------------------------------------------
  5. From: "DHL Express" <Mays.69642@brasiltelecom.net.br>
  6. To: [REDACTED]
  7. Subject: Package #DH9787801
  8. Date: Thu, 22 Sep 2016 08:10:13 -0200
  9.  
  10. Dear [REDACTED],
  11.  
  12. The package #DH9787801 you ordered has arrived today. There is some confusion in the address you provided.
  13. Please review the address in the attached order form and confirm to us. We will deliver as soon as we receive your reply.
  14.  
  15. -----
  16. Shelby Mays
  17. DHL Express Support
  18.  
  19. Attachement: "52eb3db6c6d.zip"
  20. -----------------------------------------------------------------------------------------------------------------
  21. - email address varies between emails, but the name is always "DHL Express"
  22. - subject is "Package #DH<random 7 numbers>"
  23. - attached file "<random hexa chars>.zip" contains a one-letter name junk file and file named "package dhl express ~<random hexa chars>~.js, a JScript downloader
  24.  
  25. Download sites:
  26. http://108.174.196.88/8dpg3
  27. http://acefur.com/htgm2
  28. http://affordabledentaltours.com/g8xa1lt
  29. http://agrobase.com.br/440xm5
  30. http://aimshospital.net/80jwdm
  31. http://alloftime.com/ntuxu
  32. http://apolycarpou.com/r5r6kadt
  33. http://atlaszine.com/32gycls8
  34. http://audit1040.com/xgq7z
  35. http://c-hatas.com/khrwzwh
  36. http://debie.pl/h3tf68zi
  37. http://ferealestateservices.com/g0pvpekt
  38. http://fire-riskassessment.com/rv6e94
  39. http://forumeritrea.org/ypbgxs1c
  40. http://fosung.com/nn86g3yd
  41. http://fsathai.org/g7tx5j
  42. http://hijaukuning.com/h7nvp
  43. http://hockey-stock.com/tnmtya0j
  44. http://hotelvegas.net/9ijhjjfr
  45. http://hr-management-dimensions.co.uk/fw5v4
  46. http://imperiumcf.com/icepacoy
  47. http://indonesiawebpromotion.com/i5swpit
  48. http://ingesof.com/92glixod
  49. http://ircfm.net/j60zxul8
  50. http://iuvade.com/xkx7oa4
  51. http://kk-plaisir.com/uuz6o
  52. http://knitbliss.com/h8cqi
  53. http://liatrisguzellik.com/o6zlocdo
  54. http://lightpack.tv/l5oooi5
  55. http://marbellauniversity.com/c7ux2du
  56. http://mavisehirrotaract.org/709sg0
  57. http://mobilenewscwp.co.uk/japh6
  58. http://mutterundkind.com/lsk2p
  59. http://npchemical.net/h0qwdu
  60. http://on-point.be/i98o9z
  61. http://reloaded-xb.com/sgjoa8dv
  62. http://sabiaito.net/32gycls8
  63. http://sabiaito.net/5aolo
  64. http://saigonvisa24h.com/7nndognh
  65. http://sanitaskliniek.nl/mqaupi
  66. http://serbmusic.org/md1w2z
  67. http://shiyunwuliu.com/lx2la
  68. http://spb-gruz.ru/i6hqv
  69. http://squidhob.net/1iwex
  70. http://squidhob.net/4iyleh
  71. http://stentormusic.com/wdexgcq
  72. http://stingerpest.com/qicfo9
  73. http://stradalli.com/siljxiy
  74. http://swadsexto.com/1imkfsu
  75. http://swadsexto.com/440xm5
  76. http://talleresbonillo.com/63hxt
  77. http://tourtoon.com/0hlbm
  78. http://tourtoon.com/3vn66g8v
  79. http://unykmanagement.com/fpf8ftj
  80. http://usedkerri.com/3eb7mww7
  81. http://usedkerri.com/5k9do1wm
  82. http://victoriajolie.com/ty1zspw0
  83. http://wallytech.net/7d22shmw
  84. http://wccfzone.net/sjbch0t
  85. http://yessyber.com/mnlysu
  86.  
  87. Malware:
  88. - encoded on download, filesizes 156676 and 157188 bytes
  89. 1f3e0f0725e884a44f901eff3cdda490a24f778a1a3189ff0349370d12d6d6b4 http___108.174.196.88_8dpg3
  90. 8deedc69245dc352a7eb915ccdaa32b921adbb68e80808a07d3c7a43440682e5 http___acefur.com_htgm2
  91. 9bba13b7b74033ad72b42c785cb72d815475030a18de1cf76d8ea14d26ec1ee7 http___alloftime.com_ntuxu
  92. c1780255cbabbdc9fa0a4b1d1cf3ba14d2dfdd70e077bc8e09c789cec63d7cbb http___apolycarpou.com_r5r6kadt
  93. 4a56b8e5a86ed99185886b6c3e2cfdf66edf61d7f1ef4dc2ac0f75c116b9de5d http___audit1040.com_xgq7z
  94. 654546618f2c78e081bd5cfc72da68be87d39709fe08c65874b0b45abc77f1d3 http___c-hatas.com_khrwzwh
  95. d5ad665ddb2c54adbc7c6efe1ab17477048babdd2433d55775e8707b3e7df4ab http___debie.pl_h3tf68zi
  96. 057953bcd7586d1729c539b3e40a930566abd5d858cbc6ac0589d56b8184addc http___fosung.com_nn86g3yd
  97. 16c149c273b665aaf5b3cec62c47b1e9cc865ad5274c3f13fce4945b74c9b34d http___fsathai.org_g7tx5j
  98. cf0f749f20e99b4e2a19262c9d681c7f947fc60d4e0c3997561194b651e5d83a http___hockey-stock.com_tnmtya0j
  99. fc224fb5da3f96cc2e5fb9740c0fda4dca37e3e981bc4b0c6c90e3b941c4c6c2 http___hr-management-dimensions.co.uk_fw5v4
  100. b636cf5c54499055c157f401d11ac56acda0704ab42a9abdbe8de4b76b8a51d1 http___ingesof.com_92glixod [1]
  101. 3ad6cea414757a4a34387ce37d4b860e83a92c9db315078862d4d26640055e78 http___indonesiawebpromotion.com_i5swpit
  102. aad46aafc75b6d940709af8acd94234abee78edb7edb5edfe4f05e58d8bb1199 http___ircfm.net_j60zxul8
  103. d26a23d7aa2170f8120703809a98304396df3dcbb7e7528a40ccd952c11fda60 http___kk-plaisir.com_uuz6o
  104. e5b4122e2f804a4be157670ae7e4edc250679226b6447680ee3b12ac5f26bb38 http___knitbliss.com_h8cqi
  105. f1faaec8eb27effdde5e0ff8804ee8655023c20f3d5f1712a6439d36663347fd http___liatrisguzellik.com_o6zlocdo
  106. 9660124d5c6de74f356497ae7df235a0ed690f7af2d64f0ac8a5c64aacea63a1 http___mavisehirrotaract.org_709sg0
  107. b199ac11405e94cdd13c024dddbcca0764601768e82c7b9f04592d3fdeb2d490 http___mobilenewscwp.co.uk_japh6
  108. a328586804cbec716fe6c82bf1045ae98d4fb6ec3bbc0bf8a95dba53e273b331 http___mutterundkind.com_lsk2p [2]
  109. 2c19c4041d7f76ea800e168cde47e1f1d67627063339807e8ab855b47ccc12ad http___npchemical.net_h0qwdu
  110. 20c2ae769eb25786c0eae77995d509061dfacf5f4946e078341d386798c1e2bf http___sabiaito.net_32gycls8
  111. 860d3e763a0ea66118ae25ec2f8b6b20cebc4d40b5843271e8904f8cdaf66037 http___sabiaito.net_5aolo
  112. d1152210079d1c62779bb9dfdfd4a7d2fdf2bb6f41f7f17734c55a6a9d3e8279 http___serbmusic.org_md1w2z
  113. cbc068316e785bb2ccec1743555aadf5010c440d941782b4573e3c8be4ae1f5b http___squidhob.net_1iwex
  114. b8a78bd8ebf97e0c907eb05dad85e37b5394b94910df1579f1c22603c9abadb4 http___squidhob.net_4iyleh
  115. 18afd3f63b22a06a92e40f38fb28eba79d3dcd963ad53f76cfddc4ba47226335 http___stentormusic.com_wdexgcq
  116. 2854571a63a789ada0dbfa6ff0019c6fca101bcac551fe3807b55873f040137b http___stradalli.com_siljxiy
  117. 5b0eedb2c262c1f237b4abd12f84f4edcb82212f63aa0e556b6ff11f86138216 http___swadsexto.com_1imkfsu
  118. 363864fe06ae7527af4e170d3195423e408f62e648f419b1414bda470911df47 http___swadsexto.com_440xm5
  119. b0efd0d3e31114c524d8870b0deca5ba8b3d37343a1dfd799ce8c70f7cc2f46a http___tourtoon.com_0hlbm
  120. 839c1a8dd3c7e3fbbf4831147deaacccae1021d0819fefcc25a562149d662029 http___tourtoon.com_3vn66g8v [3]
  121. efbd15f6794bc208cff2b1f0ddc6e6069a4b3b97955cb191b5b2581f45045da6 http___usedkerri.com_3eb7mww7
  122. d217cdc24cda52886459c5e172247b1a60a518420dfacedda091c6f60819d1ca http___usedkerri.com_5k9do1wm
  123. 1cfb2d0b891e660e2bf5bf01fe0f5faf28db7795fa7ef622ed93a384a0bd80f1 http___wallytech.net_7d22shmw
  124. f6e05754d797ef8ed45d9c861cbae2f7dfddec36e7a2cd2b76a0c36aa5855009 http___wccfzone.net_sjbch0t
  125. - decoded
  126. 6b06852aaba9ced902de923255ed3777f8908812af44ddd6be90e077574a4947 [1]
  127. d7a18beb50eb6f76314ed2c3153e661903986e928574d918a2f7b083e45c3e5e [2]
  128. 50e03626bce92ad42fcc5b59c406816445498672a07f563b21e332e75fa9cce5 [3]
  129. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
  130. - sample analysis
  131. https://www.reverse.it/sample/181a9f67637f145825864f4e19cd4da40cfa598fddb3209ab3edd6e9e2b6a2ab?environmentId=100
  132. https://www.reverse.it/sample/fa1043788961c4bacea94de799b6cc840abe5a874034ee69f0c92bf749eb6d0b?environmentId=100
  133. https://www.reverse.it/sample/73e6e3ada27bfa4aae4b4c19d979c4a3a9f3cce76a8ed27ef3840be965225818?environmentId=100
  134. https://www.reverse.it/sample/3c4a0f336092355f00d0ae0496261ad4a9559e929ce977855732f631aae79a5b?environmentId=100
  135. https://www.reverse.it/sample/b1317609e9eeb965d08450dfb97e111d8c44adebc0479cde8e26f5e5e9d1a22c?environmentId=100
  136. https://www.reverse.it/sample/792931c78c2afb9421b78c4b91c7e54a2fbdce2b3d13651159fb77e12a22be48?environmentId=100
  137. https://www.reverse.it/sample/1070601617f82507772a568e33fb6a70dc2c54d5704860e07f5716efd26c7c70?environmentId=100
  138. https://www.reverse.it/sample/81f7250ee0dcc90fde62cd3c01cfc952eeabfb96b1d5ad95aa6dee3f2fae7453?environmentId=100
  139.  
  140. C2:
  141. 51.254.108.40:80/data/info.php
  142. 88.198.76.76:80/data/info.php
  143. tswsgajtwhqkosd.su/data/info.php [91.239.235.130]
  144. jfmiondv.xyz/data/info.php [91.239.235.130]
  145. wnrgttsfmhfmmoqxm.biz/data/info.php [69.195.129.70]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!