Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-08-04 #locky email phishing campaign "Budget Reports"
- Email sample (sender address varies between emails):
- -------------------------------------------------------------------------------
- From: "Phoebe Glenn"
- To: [REDACTED]
- Subject: Budget Reports
- Hey [REDACTED]
- I attached the annual budget reports that you asked me to send to you.
- Best regards,
- Phoebe Glenn
- -------------------------------------------------------------------------------
- Attachment "6a1de75866e.zip", contains "annual_budget_ e36466af~.js" (varies between emails), JScript downloader
- http://escapegasmech.com/0816so
- http://goldjinoz.com/36n91s
- http://jbrktqnxklmuf.info/7ux6qyds
- http://mhrbuvcvhjakbisd.xyz/jj01dp0z
- http://platimunjinoz.ws/lij14h
- http://pxbycuqakasw.info/mzvcwc1
- http://regeneratewert.ws/o0glx
- http://traveltotre.in/sttrbul
- http://tryfriedpot.co.in/wk1v4dga
- encrypted malware, filesize 141316
- a5ebf2416b4b20fab5728d12e0e49740e3a1f91f9e810221475de0710b5a5812 http___escapegasmech.com_0816so
- 504a0ed3d19f2527514e11628fb31ee2f225da173277c5843df74283338b6afe http___goldjinoz.com_36n91s
- 45c0a45042d797579ce90f5ceb76f41c582c100f062fdf46a51b2fe08b691711 http___jbrktqnxklmuf.info_7ux6qyds
- 28019b192b4f4425962fa56bd8914e15dee41483175db26d78c761d2ba0f263a http___mhrbuvcvhjakbisd.xyz_jj01dp0z
- e3b1aa9a0bb00d0a85104a56e28d775aa7aef326064678bbd286aed7d217e53b http___platimunjinoz.ws_lij14h
- 291d64ca3f13b8dc86e3e6822ecdef0b7297d687bbd745872f60ff6815991a73 http___pxbycuqakasw.info_mzvcwc1
- 1dd6a755e86016f391469faf71f13d262ac43cfbd109e20968ccba0a6d7c8a6e http___regeneratewert.ws_o0glx
- b62b6fed8da9c9d7f8c43fcb34860749643efdd7e9bcbee8e8807a70525e86fc http___traveltotre.in_sttrbul
- dad3ed61f4dd9866ac5c864149be3c52660b711f93f7d92852ec0342321fbfbf http___tryfriedpot.co.in_wk1v4dga
- https://www.reverse.it/sample/a85b8da8bfca55f31e6515d7f3a9839995d4767a04d3a1a2ab80ff762a6a254b?environmentId=100
- https://www.reverse.it/sample/91f938c21bbfaded386b4637a1d1333f101fe875fcebcbbbeade441b1d6ca8d4?environmentId=100
- https://www.reverse.it/sample/414bbbb59aa195b71580ff68f636e7d7111d27ce912b7062798b8e7ca4c741db?environmentId=100
- decrypted malware:
- b3f6a77ddb025b5072e6257003c5fe71abc7a024c4c3f498f51076afa4045870
- 6ce3be6d836dad7568e284da8530436f834d0ce6fa0f463f1eacd63e2ac9ddb2
- b2e28b4cc1dc625ba35b5bea25fea554102940ef673c1ca449d6a6152d04ffac
- C2
- 31.41.46.29:80/php/upload.php
- 185.129.148.19:80/php/upload.php
- 91.219.29.35:80(ygpktpim.pw)/php/upload.php
- 188.127.230.63:80 (ygpktpim.pw)/php/upload.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement