Sponsored by..

Wednesday, 29 June 2016

Malware spam: "Financial report" / "I have attached the financial report you requested."

This spam appears to come from various sources, but has a malicious attachment:
From:    Hester Stanley
Date:    29 June 2016 at 13:25
Subject:    Financial report

Hello [redacted],

I have attached the financial report you requested.


Regards
Hester Stanley

Chief Executive Officer

Attached is a ZIP file containing some version of the recipient's email address, the words "report" or "freport" or "financial" plus a number. This contains a malicious .js file beginning with "swift".

Trusted analysis by another party (thank you as ever) gives download locations at:

115.146.42.43/5dtvzet
164.15.59.210/polytech/faculte/n0iqya
210.196.205.19/~pvpip/ypznpez0
65.99.205.183/~studiantec/w29xxnph
82.140.32.172/~haukebensch/3l6zu4
83.235.64.44/~astr-pap/3h59w9s
arquipiedra.cl/6xp7a8k5
benelist.cz/p3oyew2
buron.dk//xc71iuq
centralbs.com/wogium
centro-odontoiatrico-neuromuscolare.it/jtap3
Deutsch-Krone.privat.t-online.de/od24jb
dewaeletransportes.atspace.com/moqry4r9
dragoljub.50webs.com/2gkowrrg
dueto.sk/mdjhnlh
elipse.es/~elipse/8cbjb
enpeler.web.fc2.com/nryumnd
free.co.ca//s3po2n54
geduque.com.br/xu5u1hw
geiten.nl/jjupt07
greatlakessawingsolutions.com/zm70yfs7
jharanch.net/wsi8rh9g
josenria.nl/tohbw3e
joynergraphics.com/2e7qysyn
joynergraphics.com/9htk0ug
karosguren.web.fc2.com//sgejjt
kibridz.50webs.com/l2rvuivn
kitaori.net/r7zt9
labibliocancerdig.com/mhbgy5
laneylakes.com/fj521
maridea.cz/3w36st3
maridea.eu/3ofkxjlt
mayhemparkcom.sites.qwestoffice.net/gdduzqe
onlinepartners.no/kiwcpse
onwings.nl/~onwings.nl/zcr3r9
otherworldsbookstore.com/qmn38
otherworldsbookstore.com//w7q4o2
otherworldsbookstore.com/yluli4ye
pospesch.de/78uftb3
qualiphone.tv/fpmrb
sao24.net/0wnm7v
tczpug.org/z8nvas
teste-site.hi2.ro/7he6ez0
ulin.jp/1p5sqt
vimperk-haselburg.cz/kf27u5
www.notaverde.com/vq1ep
www.oemsen.gmxhome.de/sh91u3a


The payload is Locky ransomware, phoning home to the following servers:

93.170.123.219 (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
149.154.159.125 (EDIS, Germany)
151.236.17.45 (EDIS, Germany)
151.236.17.47 (EDIS, Germany)
194.31.59.147 (Hostbar, Russia)


I don't currently have a copy of the payload.

Recommended blocklist:
93.170.123.219
149.154.159.125
151.236.17.45
151.236.17.47
194.31.59.147


1 comment:

Alexander.K.Polyakov said...

Here are the hashes of (some) decrypted payloads:

151d382593c7182b839810bbac2bc783 0wnm7v
d07c9afcf4f160e09ff5db9e9f1c29a6 1p5sqt
4d304bcf9caba2c067c84ff7aff935f5 3h59w9s
a8183896caa428288fca4615ea9c9f9a 5dtvzet
93dccfe28b043433b953be89bd97d45c 78uftb3
003b857e5e23e1ccd59efd605b3f9c71 7he6ez0
6e12ec48f6c262c5ebb5bcc3e5bda2bc 8cbjb
9fa46846c2d6cae6472ba79c36ee7c6f gdduzqe
cf18095776897586ab62ef4c3576eb12 jjupt07
2b93244d32d361df6f71a6bbe1d89a7c jtap3
01798c4b736e5a7cd2f2690a4d16f001 mhbgy5
4991c6539367d39e54f266c1bd97a4b3 n0iqya
49e5c623ddf33c5dddd87239429fdebf nryumnd
22e0e745ad468f26029b7ad2c831812c od24jb
3f9538804a34c28ad83960c13aafad6a r7zt9
bb49293dda6d6856f820af1a1546b621 sgejjt
c4b6c9fce750261bf531c03edcff2488 sh91u3a
12fb29a3be485fad989f0ba0bc621398 vq1ep
113c1ba67424512d3f230d2965ea8299 w29xxnph
a6e2c128031c50cc0b92856816a8f07b wogium
82d3b602a09d9332125ed2dc417d9358 wsi8rh9g
717ce9b9ef56afda8744bc9d3e80e6d8 xc71iuq
d1f70067141974fb51e6381df8834e91 ypznpez0
67ced277ec5da3e0f62526a7c023dbc7 z8nvas
d552681e866395f39e841185d0d756c5 zcr3r9
cb5b366ad9c3a707a605e2e6681a4c2f zm70yfs7