2017-09-19 Locky "HERBALIFE Order Number"

2017-09-19: #locky email phishing camapign "HERBALIFE Order Number: 6N0100NNNN"

Email sample:
-------------------------------------------------------------------------------------------------------------
From: "Herbalife" <svc_apacnts_2661@herbalife.com>
To: [REDACTED]
Date: Tue, 19 Sep 2017 17:42:27 +0700
Subject: HERBALIFE Order Number: 6N01000673

Thank you for your order

Please find attached your tax invoice for 6N01000673

Your order is now being processed.

Attachment: 6N01000673_1.7z -> 6N01006808.vbs
-------------------------------------------------------------------------------------------------------------
- sender is: "Herbalife" <svc_apacnts_<1-4 digits>@herbalife.com>
- subject is "HERBALIFE Order Number: 6N0100<4 digits>"
- attached file "6N0100<4 digits>_1.7z" contains file "6N0100<4 digits>.vbs", a VBScript downloader

Download sites:
http://arsmakina.org/JGHldb03m
http://asiaresearchcenter.org/JGHldb03m
http://bnphealthcare.com/JGHldb03m
http://conxibit.com/JGHldb03m
http://cxwebdesign.de/JGHldb03m
http://diakoniestation-winnenden.de/JGHldb03m
http://download.justowin.it/JGHldb03m
http://ecofloraholland.nl/JGHldb03m
http://felixsolis.mobi/JGHldb03m
http://foodbikers.ch/JGHldb03m
http://g-peer.at/JGHldb03m
http://gui-design.de/JGHldb03m
http://highpressurewelding.co.uk/JGHldb03m
http://housecafe-essen.de/JGHldb03m
http://isiquest1.com/JGHldb03m
http://secureleads.com/JGHldb03m
http://teracom.co.id/JGHldb03m
http://ycgrp.jp/JGHldb03m
http://zionbrand.su/p66/JGHldb03m

Malware:
- locky, .yckol variant
- SHA256: f8e7dde2601ebeb7e30af4c54016223f1c42298176e1f2f5c4945ca6b8b88317, MD5: 43e9190f8f18e52dc361f775cc02b2ce
- VT: https://www.virustotal.com/#/file/f8e7dde2601ebeb7e30af4c54016223f1c42298176e1f2f5c4945ca6b8b88317/detection
- HA: https://www.reverse.it/sample/f8e7dde2601ebeb7e30af4c54016223f1c42298176e1f2f5c4945ca6b8b88317?environmentId=100