Sponsored by..

Wednesday, 27 July 2016

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:


There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.


The C2 locations for this variant are: (Dmitry Zheltov, Russia / Hetzner, Germany) (Digital Ocean, Netherlands) (Evgenij Rusachenko, Russia / OVH, France)

Recommended blocklist:

1 comment:

Alexander.K.Polyakov said...

This particular script contains only three download locations:

beauty-jasmine.ru/6dc2y (decrypted .exe: cef28528e186d81c4693d2712ef9e138)

takemaruko.web.fc2.com/29t1j (decrypted .exe: 4c8f2d9d28f1b3f75f799a1a88e88b75)

hotstreams.ru/sam9xqp0 (decrypted .exe: 28011927d39ec45c7cba20b8c1db22f7)