API tools faq
paste
Advertisement
Racco42

Locky "Budget Reports"

Racco42
Aug 4th, 2016
8,424
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.48 KB | None | 0 0
raw download clone embed print report
  1. 2016-08-04 #locky email phishing campaign "Budget Reports"
  2.  
  3. Email sample (sender address varies between emails):
  4. -------------------------------------------------------------------------------
  5. From: "Phoebe Glenn"
  6. To: [REDACTED]
  7. Subject: Budget Reports
  8.  
  9. Hey [REDACTED]
  10.  
  11. I attached the annual budget reports that you asked me to send to you.
  12.  
  13. Best regards,
  14. Phoebe Glenn
  15. -------------------------------------------------------------------------------
  16. Attachment "6a1de75866e.zip", contains "annual_budget_ e36466af~.js" (varies between emails), JScript downloader
  17.  
  18. http://escapegasmech.com/0816so
  19. http://goldjinoz.com/36n91s
  20. http://jbrktqnxklmuf.info/7ux6qyds
  21. http://mhrbuvcvhjakbisd.xyz/jj01dp0z
  22. http://platimunjinoz.ws/lij14h
  23. http://pxbycuqakasw.info/mzvcwc1
  24. http://regeneratewert.ws/o0glx
  25. http://traveltotre.in/sttrbul
  26. http://tryfriedpot.co.in/wk1v4dga
  27.  
  28. encrypted malware, filesize 141316
  29. a5ebf2416b4b20fab5728d12e0e49740e3a1f91f9e810221475de0710b5a5812 http___escapegasmech.com_0816so
  30. 504a0ed3d19f2527514e11628fb31ee2f225da173277c5843df74283338b6afe http___goldjinoz.com_36n91s
  31. 45c0a45042d797579ce90f5ceb76f41c582c100f062fdf46a51b2fe08b691711 http___jbrktqnxklmuf.info_7ux6qyds
  32. 28019b192b4f4425962fa56bd8914e15dee41483175db26d78c761d2ba0f263a http___mhrbuvcvhjakbisd.xyz_jj01dp0z
  33. e3b1aa9a0bb00d0a85104a56e28d775aa7aef326064678bbd286aed7d217e53b http___platimunjinoz.ws_lij14h
  34. 291d64ca3f13b8dc86e3e6822ecdef0b7297d687bbd745872f60ff6815991a73 http___pxbycuqakasw.info_mzvcwc1
  35. 1dd6a755e86016f391469faf71f13d262ac43cfbd109e20968ccba0a6d7c8a6e http___regeneratewert.ws_o0glx
  36. b62b6fed8da9c9d7f8c43fcb34860749643efdd7e9bcbee8e8807a70525e86fc http___traveltotre.in_sttrbul
  37. dad3ed61f4dd9866ac5c864149be3c52660b711f93f7d92852ec0342321fbfbf http___tryfriedpot.co.in_wk1v4dga
  38.  
  39. https://www.reverse.it/sample/a85b8da8bfca55f31e6515d7f3a9839995d4767a04d3a1a2ab80ff762a6a254b?environmentId=100
  40. https://www.reverse.it/sample/91f938c21bbfaded386b4637a1d1333f101fe875fcebcbbbeade441b1d6ca8d4?environmentId=100
  41. https://www.reverse.it/sample/414bbbb59aa195b71580ff68f636e7d7111d27ce912b7062798b8e7ca4c741db?environmentId=100
  42.  
  43. decrypted malware:
  44. b3f6a77ddb025b5072e6257003c5fe71abc7a024c4c3f498f51076afa4045870
  45. 6ce3be6d836dad7568e284da8530436f834d0ce6fa0f463f1eacd63e2ac9ddb2
  46. b2e28b4cc1dc625ba35b5bea25fea554102940ef673c1ca449d6a6152d04ffac
  47.  
  48. C2
  49. 31.41.46.29:80/php/upload.php
  50. 185.129.148.19:80/php/upload.php
  51. 91.219.29.35:80(ygpktpim.pw)/php/upload.php
  52. 188.127.230.63:80 (ygpktpim.pw)/php/upload.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!