From: Thanh Sears
Date: 11 March 2016 at 10:29
Subject: FW: Payment 16-03-#507586
We have received this documents from your bank, please review attached documents.
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script containing one of the following strings plus a random number and also it seems a # sign at the end of some.
There are probably other download locations. The dropped binaries are actually different   and both look like Locky ransomware. The C2s to block are the same as found in this earlier Locky run.
Two further download locations can be found at:
The dropped binaries are different again  , but it is still Locky phoning home to the C2s detailed here.
Further download locations are at:
Again, the dropped binaries are all different but seem to be Locky     .