From: Justin harmonAttached is a ZIP file that contains one of many scripts that downloads a binary from one of the following locations (according to a trusted third party, thank you!):
Date: 25 May 2016 at 12:30
Subject: URGENT - DELIVERY
Dear customer.
Please find the attachment.
--
Thanks & Best Regards
Jobin Jacob
HYTEX
Ph: +974-44506682
Mob:+974-70400514,55129954
avi-vest.ro/3g34t3t4tggrt?[random-string]=[random-string]
bankruptcymag.com/3g34t3t4tggrt?[random-string]=[random-string]
bizconsulting.ro/3g34t3t4tggrt?[random-string]=[random-string]
brunohenrique.net/3g34t3t4tggrt?[random-string]=[random-string]
cjglobal.co/3g34t3t4tggrt?[random-string]=[random-string]
comecomunicare.eu/3g34t3t4tggrt?[random-string]=[random-string]
crimeshurt.com/3g34t3t4tggrt?[random-string]=[random-string]
digitacaoveloz.com.br/3g34t3t4tggrt?[random-string]=[random-string]
globalcredithub.com/3g34t3t4tggrt?[random-string]=[random-string]
lifeclinics.net/3g34t3t4tggrt?[random-string]=[random-string]
orobos.nyc/3g34t3t4tggrt?[random-string]=[random-string]
selonija.lv/3g34t3t4tggrt?[random-string]=[random-string]
smp.com.mx/3g34t3t4tggrt?[random-string]=[random-string]
sweethomesgroup.com/3g34t3t4tggrt?[random-string]=[random-string]
tspipp.tsu.tula.ru/3g34t3t4tggrt?[random-string]=[random-string]
unijovem.com.br/3g34t3t4tggrt?[random-string]=[random-string]
www.appoutpost.com/3g34t3t4tggrt?[random-string]=[random-string]
Where [random-string] seems to be a random alphanumeric string. The dropped binary is Locky ransomware (as seen in this Malwr report) which phones home to:
164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)
These are the same C2 servers as found here.
No comments:
Post a Comment