Subject: please signIn the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name. This obfuscated script [pastebin] appears to download Locky ransomware. Analysis is pending.
From: Ricardo Buchanan
Date: Monday, 3 October 2016, 10:27
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Ricardo Buchanan
CEO
UPDATE
This Hybrid Analysis clearly shows Locky in action. According to my sources there are no C2s, and the download locations are:
027tzx.com/lscpv
5v5.net/wmas4
a1hose.com/j9ccher
arabhashtag.com/q2aatrh
arcworks.ca/xmz948l8
AVTORESURS.NET/n5rz8w
basofttech.com/lf7agf
bassbudsgame.com/ptqrx0bl
bradjones.com.au/qglrydv
champi.nl/v5zovddy
charge2go.com/coplbr
clinicaavellaneda.com/ovg45gh
crossroadspd.com/515grm
dangras.net/1f5d4mlo
dangras.net/3geg2zj
dangras.net/5edbite
dangras.net/6lebt
demo.academia-moscow.ru/f6wmma
demo.hostfabrica.ru/n8ygd
dotcom-enterprises.com/cpgskvx9
edrozd.net/zuz15wuc
eskrow.ru/gk2sabe
ferumusky.com/229k9z
ferumusky.com/3surnwl
ferumusky.com/5o11b5s
ferumusky.com/6nfhu0lt
galelaure.com/gvn4j9eq
glosalonline.com/adsry1c
hoamiu.info/lgvdn1l
honeine.com/h03dyzp
hrbqcc.com/kz3vidu6
jetxaviation.com/xbvqdt
joplinglobeonline.com/cc3al2x7
klipink.com/vfvlqynq
louisirby.com/cmlfoyb
louisirby.com/ejtocks
medicangka.com/0s7ygu
medicangka.com/2wn3r
medicangka.com/515grm
medicangka.com/65l4byy
mlsmaids.com/b2ofgow7
mrwebdirectory.net/vl4h091
mucicsitta.net/09xhx
mucicsitta.net/2imhkap
mucicsitta.net/4li3zc
mucicsitta.net/64vvi
mutiarafurniture.com/qwal3v9
netclip.ro/v6wj6yln
nonprofitbenefit.com/h6lne
ossiatzki.com/dyke9
p2pbikini.com/cm9s56to
parasaymamakina.net/ja152
relianceclouds.com/tr56dz8z
remont-vanosa.ru/j292hr
rondeaho.com/08dqn
rondeaho.com/24agob
rondeaho.com/4h2vq
rondeaho.com/5ubi0cxh
rosewong.com/va8asq
sentedesign.pt/pbery0
shinipri.com/brzvbi
softwaregolower.com/rddt0z
superoriente.com/kbgt8m4
syncfish.com/k7brjhgm
tandjsalon.com/gd5ke
tinoprins.nl/uji62x
trulytechnology.com/xs5t4q8
verafleischer.com/eh36e
vinabuhmwoo.com/64vvi
vipmarketing.co.il/ub0ybv5
welsell.com/tgtmzm
www.4u-byme.com/ay7ugmad
yogajourneyretreat.com/ewgjrey
yoobux.com/euy7k8
youspeak.pt/l5j3iw
yuzhuyuan.com/65l4byy
zachmacphoto.com/be8il1jb
zsvlomnica.sk/229k9z
No comments:
Post a Comment