Scam: Fanrong Europe Fund / fanrongfund.info / fanrongeuropefund.info / fanrongeuropefund.com

This spam email advertising a "too good to be true" investment is a scam:

From:    Tim Hoffman [letter@612.com]
To:    contact [contact@victimdomain.tld]
Date:    30 July 2016 at 09:26
Subject:    Fanrong Europe Fund – 1 Half 2016 return +32.69%.

Dear Sirs,

Please be informed that the Fanrong Europe Fund reported strong 1 Half 2016 with return +32.69%.

Fanrong Europe Fund is a registered hedge fund that managed by a team of stock market experts that located in Zurich, Switzerland. The Fanrong Europe Fund Strategy is Long/Short Equity. The Fund was launched in April 2014. It is open-ended hedge fund. We are open for new investors.

We welcome you to contact us through our web-site to learn more about investing with us:
www.FanrongFund.info

Kind regards,
Tim Hoffman
e-marketing manager
Fanrong Europe Fund
www.FanrongFund.info


Reply to: marketing@fanrongfund.info

If you do not want to receive this newsletter send an email to: unsubscribe@fanrongfund.info

NOTICE: Your address was obtained from open sources where you were agreed to receive the marketing information from third parties.

I have received two of these emails, one coming from the IPs 188.69.207.57 and 188.69.223.168 which are both allocated to a mobile phone provider in Lithuania (UPDATE: also 188.69.223.54). The website fanrongfund.info was created just a few days ago (28th July 2016) and is registed to the following (presumably fake) registrant:

Registrant ID: JLD4030131633
Registrant Name: James Dean
Registrant Organization:
Registrant Street: Vorstadt 20
Registrant City: Zug
Registrant State/Province:
Registrant Postal Code: 6300
Registrant Country: CH
Registrant Phone: +41.417120101
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jd767@yahoo.com

The site is hosted (apparently) in the British Virgin Islands on an IP allocated to the Public Domain Registry (PDR). It uses nameservers from Russian company AYBHOST.COM.

The website is pretty generic looking and opens with these words of wisdom:

Our main trade approach is:
"Close the position if it runs to loss, and hold it if it runs to profit".

Hans Messner
fund manager "Fanrong Europe Fund"

What next. "Buy low, sell high"? Here are some screenshots in case you see another version of this on your travels:

The "About" page carries this text:

We are the EU-domiciled investment manager with successful experience in stock trade in EU. Our professional assets managers have personal approach to trade with bear and bulls market. We use self-made investment strategy that allows getting the constant positive result in short-term horizon. All investment process is in full accordance with IIS (International Investment Standards) of Fanrong Capital (Hong Kong) (fanrongcapital.com).

Presumably this is copied off an earlier scam site, in this case there is an official warning about that particular firm.

fanrongfund.info appears to have mirrors at:

fanrongeuropefund.info
fanrongeuropefund.com

Both of these are hosted on 46.4.24.196 (Hetzner, Germany). The WHOIS details for those are inconsistent with each other.

fanrongeuropefund.info
Registrant ID: HSM1859139253
Registrant Name: Hans Messner
Registrant Organization: Fanrong Europe Fund
Registrant Street: Leutschenbachstrasse 95
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8050
Registrant Country: CH
Registrant Phone: +41.445632589
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.info

fanrongeuropefund.com
Registry Registrant ID: Not Available From Registry
Registrant Name: Li Yong
Registrant Organization:
Registrant Street: Schwingerstrasse 9
Registrant City: Zurich
Registrant State/Province: Zurich
Registrant Postal Code: 8006
Registrant Country: CH
Registrant Phone: +41.442289632
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@fanrongeuropefund.com

For completeness, the domain fanrongcapital.com is hosted on 5.100.152.26  (the same block as fanrongfund.info) and this particular corporation seems to be using a free email address..

Registry Registrant ID: Not Available From Registry
Registrant Name: Wei Zhang
Registrant Organization: Fanrong Capital
Registrant Street: 20F, 1 Harbor View Street
Registrant City: Hong Kong
Registrant State/Province: Hong Kong
Registrant Postal Code: 111000
Registrant Country: HK
Registrant Phone: +852.58085536
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: fanrongcapital@yahoo.com

Nothing about this offer is legitimate. Avoid it, or if you have invested money in this fictitious firm then you should contact the police immediately.

Malware spam: "Voicemail from Anonymous" / SureVoIP [voicemailandfax@surevoip.co.uk]

This fake voicemail spam has a malicious attachment:

From     SureVoIP [voicemailandfax@surevoip.co.uk]
Date     Fri, 29 Jul 2016 17:47:41 +0700
Subject     Voicemail from Anonymous <Anonymous> 00:02:15

Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain.tld

The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf.

According to my trusted source (thank you as ever):

64.22.100.95/78h8ry
A1Engg.com/9u8jreve
am-i-evil.de/n3rv3rv
avaretv.atspace.com/n3rv3rv
cieslakwz.cba.pl/9u8jreve
curionaut.web.fc2.com/78h8ry
gim24.y0.pl/9u8jreve
guessen.privat.t-online.de/9u8jreve
gurannbania03.web.fc2.com/9u8jreve
hanokenko.web.fc2.com/n3rv3rv
hokkatsu6.web.fc2.com/78h8ry
kapiti-alpaca.co.nz/78h8ry
kathrin18.edv-kamue.de/78h8ry
kimani.dommel.be/n3rv3rv
martinezlabalsa.atspace.org/78h8ry
melzer-ferienwohnung.de/78h8ry
mertenitalia.atspace.com/78h8ry
paris82nana.cafe24.com/78h8ry
pixelacker.de/9u8jreve
rakurakutuuhang.web.fc2.com/n3rv3rv
rhodins.nu/n3rv3rv
sandalcraft.cba.pl/9u8jreve
shinryu1226.web.fc2.com/78h8ry
sspbadecz.ugu.pl/9u8jreve
www.amelander.nl/78h8ry
www.arrietayasociados.es/9u8jreve
www.atiyka.home.ro/9u8jreve
www.bobp.org.uk/9u8jreve
www.cabana.it/9u8jreve
www.corama.com/n3rv3rv
www.cs-strumentazione.it/9u8jreve
www.destine.broker.go.ro/n3rv3rv
www.diegofabbri.com/n3rv3rv
www.ecologica2000srl.eu/78h8ry
www.finnform.it/n3rv3rv
www.flamarimports.com.br/n3rv3rv
www.josegbueno.jazztel.es/9u8jreve
www.malzi.mynetcologne.de/n3rv3rv
www.markomielentz.de/78h8ry
www.nieli.de/9u8jreve
www.oliooddo.com/n3rv3rv
www.professionaldga.com/78h8ry
www.suesswarentechniker.de/78h8ry
www.techninov.fr/n3rv3rv
yohollywood.50webs.com/78h8ry

The downloaded binary is Locky ransomware, phoning home to:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain.in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4.biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti.ru]

Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139

Malware spam: "Please check the attached invoice and confirm me if I sent the right data" leads to Locky

This fake financial spam leads to malware:

Subject:     Invoice
From:     Kendall Harrison (Harrison.59349@chazsmedley.com)
Date:     Thursday, 28 July 2016, 10:33

Hello,

Please check the attached invoice and confirm me if I sent the right data

Yours sincerely,
Kendall Harrison

320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3 

The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted".

The Malwr analysis for the partially deobfuscated script and this Hybrid Analysis show this particular sample downloading from:

83.235.64.44/~typecent/xvsb58

This drops a malicious Locky ransomware binary with a detection rate of 7/55. Analysis of this binary is pending.

UPDATE

Thank you to my usual source for this analysis. The download locations for the various scripts are:

01ad681.netsolhost.com/7j0jlq3
12-land.co.jp/vrquj
178.78.87.8/xjzhm
83.235.64.44/~typecent/xvsb58
arabian-horse-highlights.homepage.t-online.de/kzm2n
bajasae.grupos.usb.ve/4y13jg1
baldwinhistory.portalstream.net/rqbljjx
billy-hanjo.homepage.t-online.de/2r713u
blanquerna.eresmas.net/tt2e8s4
burkersdorf.eu/8y5n3f
campustouren.de/k6tkk
christilipp.com/cnb0o
creartnet.com/5ylah
dev12.gammat.net/oxg2m3
exclusive-closet.com/fld2h8
fremdesland.x.fc2.com/iya9qt
gkxxx.x.fc2.com/dxfom
idd00dnu.eresmas.net/wdmlqe
it4cio.servicos.ws/u8c3x
jozefow.cba.pl/ouini6
karumaengeki.web.fc2.com/f3ry4
kbridge.web.fc2.com/hj1fr
lacrima.ru/hvn1c
luzdevelas.es/9belfi
mbiurorachunkowe.republika.pl/6t6sz
motorkote.org/0gq654
okhtinka.ru.hoster-ok.com/qdiqooeo
papamama.com.sg/zhbepez
piggy.riffle.be/~gniff/r9bzz
robertstefan.home.ro/pycz4o
sav-krelingen.de/36r3qe8
schefman.info/snjqz
slit.xxxxxxxx.jp/l58gd3p
sv-r.ru/btawsoc
www.acheri.it/magii
www.andyschwietzer.homepage.t-online.de/r3a0tw
www.chantale.force9.co.uk/lsyeuw
www.clefranceitalie.org/cj937f7l
www.inari.net/ov5u1k
www.kan-therm.ru/qara9i
www.marinoderosas.com/59nue8uo
www.panella.org/eo9lk
www.rgtalp14.it/ykb84n40
www.ruyssinck-demeyer.be/v4xo5r28
www.schwarzer-baer-kastl.de/tt7ea
www.uasm.de/qwqiyk
yourparty.cba.pl/5avhe
zckupila.republika.pl/m6w6uu5f

C2 locations:

178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)

Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0

Malware spam: "Attached is the updated details about the company account you needed"

This spam has a malicious attachment:

Subject:     updated details
From:     Faith Davidson (Davidson.43198@optimaestate.com)
Date:     Wednesday, 27 July 2016, 11:13

Attached is the updated details about the company account you needed

King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be 

The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:

beauty-jasmine.ru/6dc2y

There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.

UPDATE

The C2 locations for this variant are:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)

Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30

Malware spam: "Sent from my Samsung device" leads to Locky

This spam comes in a few different variations:

From:    Lottie
Date:    27 July 2016 at 10:38
Subject:    scan0000510

Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component from one of the following locations:

alldesu.web.fc2.com/j988765
dslandscape.50webs.com/j988765
gmp.home.ro/j988765
hobbyfraeser.homepage.t-online.de/j988765
italcase.ve.it/j988765
mendikurconsulting.com/j988765
uladekoracje.republika.pl/j988765
wac80v41f.homepage.t-online.de/j988765
www.holzrueckewagen.de/j988765
www.milleniumitaly.com/j988765
yogamaruco.web.fc2.com/j988765

The dropped file is Locky ransomware and it has a detection rate of 2/52. It phones home to the following locations:

5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)

(Thank you to my usual source for this data)

There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.

Recommended blocklist:
5.9.253.160/27
178.62.232.244

Malware spam: "Attached Image" leads to Locky

This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    26 July 2016 at 10:27
Subject:    Attached Image

**********************************************************************
The information in this email is confidential and may be privileged.
If you are not the intended recipient, please destroy this message
and notify the sender immediately.
**********************************************************************

Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number, such as this one. In this example the script downloads a malicious binary from:

www.isleofwightcomputerrepairs.talktalk.net/okp987g7v

There will be many other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54. The Hybrid Analysis for the dropped file shows it phoning home to:

31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)

Recommended blocklist:
31.41.47.41
91.234.35.216

Malware spam: "Emailing: Photo 25-07-2016, 34 80 10" / "Emailing: Document 25-07-2016, 72 35 48"

This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:

From:    Rebeca [Rebeca3@victimdomain.tld]
Date:    25 July 2016 at 10:16
Subject:    Emailing: Photo 25-07-2016, 34 80 10


Your message is ready to be sent with the following file or link
attachments:

Photo 25-07-2016, 34 80 10


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".

An alternative variant comes with a malicious Word document:

From:    Alan [Alan306@victimdomain.tld]
Date:    25 July 2016 at 12:40
Subject:    Emailing: Document 25-07-2016, 72 35 48

Your message is ready to be sent with the following file or link
attachments:

Document 25-07-2016, 72 35 48


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.

The attachment is this case is a .DOCM filed named in a similar way as before.

This analysis is done by my usual trusted source (thank you). These scripts and macros download a component from one of the following locations:

0urkarachi.atspace.com/7h8gbiuomp
cantrell.biz/7h8gbiuomp
czemarserwis.home.pl/7h8gbiuomp
exploromania4x4club.ro/7h8gbiuomp
finaledithon.web.fc2.com/7h8gbiuomp
koushuen.co.jp/7h8gbiuomp
moehakiba.web.fc2.com/7h8gbiuomp
ostseeurlaub-tk.homepage.t-online.de/7h8gbiuomp
r-p-b.de/7h8gbiuomp
topmanagers.claas.fr/7h8gbiuomp
tpllaw.com/7h8gbiuomp
tutomogiya.web.fc2.com/7h8gbiuomp
vplegat.dk/7h8gbiuomp
www.aproso.de/7h8gbiuomp
www.ciapparelli.com/7h8gbiuomp
www.foto-aeree.it/7h8gbiuomp
www.gruetzi.es/7h8gbiuomp
www.isleofwightcomputerrepairs.talktalk.net/7h8gbiuomp
www.louislechien.net/7h8gbiuomp
www.motoslittetrecime.com/7h8gbiuomp
www.sistronic.com.co/7h8gbiuomp
www.tridi.be/7h8gbiuomp
www.vakantiehuisjeameland.nl/7h8gbiuomp
www.westline.it/7h8gbiuomp
zemlya.web.fc2.com/7h8gbiuomp

The payload here is Locky ransomware, and it phones home to the following addresses:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176

Malware spam: "Documents from work." / "Untitled(1).docm" leads to Locky

This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.

From: recipient@victim.tld
To: recipient@victim.tld
Subject: Documents from work.
Date:    19 July 2016 at 12:20

There is no body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component from on of the following locations:

aerosfera.ru/0hb765
biovinci.com.br/0hb765
choogo.net/0hb765
control3.com.br/0hb765
dealsbro.com/0hb765
heonybaby.synology.me/0hb765
hiramteran.com/0hb765
lifecare-hc.com/0hb765
ostrovokkrasoty.ru/0hb765
tvernedra.ru/0hb765
valsystem.cl/0hb765
wacker-etm.ru/0hb765
webidator.co.il/0hb765
wineroutes.ru/0hb765
www.mystyleparrucchieri.com/0hb765

The dropped payload has a detection rate of 3/54 and it phones home to the following locations:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)

That's a subset of the locations found here.  The payload is Locky ransomware.

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51

Malware spam: "I attached the detailed business analysis (updated}"

This spam has a malicious attachment. And also mismatched (brackets}.

From     "Lynnette Slater"
Date     Tue, 19 Jul 2016 10:47:09 +0200
Subject     Business Analysis
Message text

I attached the detailed business analysis (updated}

---

King regards,
Lynnette Slater

Briglin Pottery
Phone: +1 (181) 133-27-50
Fax: +1 (181) 133-27-49
ID: 34a8c7f01e98b92f3985fe91965e703df1f13456

The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same.

Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.

UPDATE

My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component from one of the following locations:

12-land.co.jp/gvkkx
accendojuris.com/dem3owmx
aerosfera.ru/xmljn
alinmaagroup.com/c2baqb
all-rides.com/m6bobmp
altadevelopers.com/kacgwe
anima-centrum.sk/bkcs2
bastidoresderondonia.com.br/ww55qzn
biovinci.com.br/dl9f0m6
choogo.net/qisxmdwz
darkhollowcoffee.com/unntj
daveshearth.com/f1t14
dealsbro.com/ptamc
delaemvkusnoe.ru/7lsypth
delaemvkusnoe.ru/yr54po27
dev.appleleafabstracting.com/j5q4b
dipp.lt/id4e6xcs
econopaginas.com/33ry5u
ejdadim.com/tzblhuk
heonybaby.synology.me/uydikuo
ialri.net/wh64xsb
jem-111.com/v5tq6s3
kveldeil.no/gfk2p
litehauzz.com.ng/cxqr03
lkfashions.com/3vkh8fcv
modulofm.com.br/3ap3qsi
moroem.com/n79lv
muscleinjuries.com/lqah1guh
mylimajai.lt/fkf75fo
myphychoice.com/s0ksxt8e
ormanstressrelief.com/lq1z62q
ostrovokkrasoty.ru/zxaen4
pasadenaoffice.com/431i00cd
right-livelihoods.org/uplwj
scpremiumbikes.com/53mkzxat
sitkainvestigations.com/2wmp4g
technobuz.com/05gwngqn
thetestserver.net/kemymr
tvernedra.ru/zkca0de
u0086064.cp.regruhosting.ru/hnmbac
versus.uz/ah73wlnz
vidonet.es/al268615
vilalusa.com/33q4i6f
westcoastswingitaly.it/jycvhfqq
www.thephoneguy.talktalk.net/om8bt
zuerich-gewerbe.ch/99v85w

I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:

77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)

Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51

Malware spam: "Sent from my Samsung device" leads to Locky

This rather terse spam has a malicious attachment:

From:    Ila
Date:    18 July 2016 at 13:01
Subject:    scan0000511

Sent from my Samsung device

The sender and subject vary, but the subject seems to be in a format similar to the following:

scan0000511
SCAN000044
COPY00002802

Attached is a .DOCM file with the same name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading from one of the following locations:

bursaforex.home.ro/54ghnnuo
car-sound.go.ro/54ghnnuo
cats.ugu.pl/54ghnnuo
dmb.republika.pl/54ghnnuo
eightplusnine.com/54ghnnuo
enpitsutenpura.web.fc2.com/54ghnnuo
gastro411.com/54ghnnuo
howtosucceed.tripod.com/54ghnnuo
iss0.tripod.com/54ghnnuo
klasste.tripod.com/54ghnnuo
marcinek.republika.pl/54ghnnuo
naturopatheenligne.free.fr/54ghnnuo
pacyna2.republika.pl/54ghnnuo
pichuile.free.fr/54ghnnuo
sgvillage.com/54ghnnuo
static.indirveoyna.com/54ghnnuo
www.carboplast.it/54ghnnuo

The payload is Locky with a detection rate of 4/53. It phones home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)

That's a subset of the IPs found here, so I recommend you block the following IPs:

77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 

Malware spam: "bank account report" leads to Locky

This fake financial spam has a malicious attachment:

From     "Boyd Dennis"
Date     Mon, 18 Jul 2016 11:34:11 +0200
Subject     bank account report


How is it going?

Thank you very much for responding my email in a very short time. Attached is the
bank account report. Please look at it again and see if you have any disapproval.

--Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
085-57-41

The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file from one of the following locations (thank you to my source for analysis):

acnek.com/fyxxbcsz
ahatv.com.au/twh7xv
anchortron.com/hiqsij
aquatixbottle.com/ygyngc
bailamecuba.com/4uyh5bex
banthaoduoc.com/v5g9z0s
BenavidezHoy.com/8zrg48k
bigislandhawaiihilorealestate.com/16h9p
bizconsulting.ro/bm8s7
blackdildo.net/h9kyu
bridgeplacements.com/dhbuk
calcoastlogistics.com/pda6bms
candobetter.net/5nt3ayk
cbactive.com/jw7l6mlr
christian-view.com/rwe24t
cinerd.info/ebiyhv
cloudbws.com/m0tu07b
colleenthestylist.com/rdrfp
containermx.com/tb4u2v
davisdoherty.co.nz/g0vi70
deanstum.com/z9opr
dnp9.com/zpfqk2l
ecpi.ro/cqema
equalityindonesia.com/b229mg
eurasian.fc2web.com/18nws9
findmobileauto.com/gh8ft
fusofrance.fr/nengga
gruposoluciomatica.com.br/ryi81
gv.com.my/qbnuau
ilkhaberadana.com/rmegjezz
kouzoncorporation.com/jikkhl
leeplastic.com/w49a80y
matthewmccright.org/sl8wu
my-result.ru/0j1nlpj8
ormanstressrelief.com/uhgoz3b
otwayorchard.net/u96kt
provincialpw.com/r0vaqf
quest.agency/0ovl6v5z
rsxxx.com/3vp8s83
s2mgmt.com/do40lc
serviceautoiasi.com/4tbvsfcz
smp.com.mx/hcoyv
thegracefamilychurch.com/ltxm3t
tip.ub.ac.id/36k8m2xt
trans-free.ru/2hx1l
travelabroadsecret.com/rxurfhqk
travoxsb.com/qmi5u0n
vakantiehuisinauvergne.com/apyd17
wcouto.com.br/9d207v

I don't have a copy of the payload at present, but it does phone home to:

77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
209.126.112.14 (MegaHosterNetwork, Ukraine)

The payload appears to be Locky ransomware.

Recommended blocklist:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14

Malware spam: "Here's that excel file (latest invoices) that you wanted." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Benita Clayton
Date:    12 July 2016 at 15:04
Subject:    Fw:

hi [redacted],

Here's that excel file (latest invoices) that you wanted.


Best regards,
Benita Clayton
Vice President US Risk Management

Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-.

Trusted external analysis (thank you again) shows the scripts download an obfuscated binary from one of the following locations:

acepipesdeli.com.br/tffx7
aerosfera.ru/h5vkp87
agbiz.co.za/x2evw01
choogo.net/qi7j7f
control3.com.br/57nhtzkv
dealsbro.com/4qtc20
diablitos.no/ogmrgs
doisirmaosturismo-rj.com.br/jxdlzcf
eskuvotervezo.hu/3kbgy9a
eusekkei.co.jp/tdts0
ferozsons-labs.com/52sf0l
games4games.com.br/ubabtp
globaldveri.ru/i4a3l0
hanaweb.xsrv.jp/be6o4g6
heonybaby.synology.me/41sx3e
ialri.net/tughk
jsbaden.jemk.ch/xyn8moxt
jstudio.com.my/5mkejwj4
kveldeil.no/opca2v2
maihama.2jikai-p.net/5mkejwj4
mcpf.co.za/ffq1mq
mphooseitutu.com/tfq5e5d2
mywebhost.nichost.ru/g53y7
nicesound.biz/42did
omnitask.ba/ac5f6
ostrovokkrasoty.ru/x7lcd
ppf.com.pk/5z2sk
quaint.com.br/divme5d
repair-service.london/uywgi7v
revengeofsultans.com/9cu7bsw
richard-scissors.com/wife8eaf
rigoberto.com.br/nqum54t
samaju.se/fsqrtgrm
sindsul.com/h02sujs
sirimba.com.br/qiovtl
stylespiritdubai.com/be1id
tvernedra.ru/lob9x
valsystem.cl/v4db1wd
wacker-etm.ru/jfbmxlhy
wineroutes.ru/hrzl8dw5
www.cristaleriadominguez.com/fxcx6ep
www.inextenso.hu/xc3739l
www.ital.com.mx/xswj9
zachphoto.7u.cz/0jyhh
zakagimebel.ru/krcsvf
zoomwalls.com/zghpzv2f

Locky then phones home to one of the following locations:

5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)

Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220

Malware spam with random hexadecimal number leads to Locky

I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).

My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:

blingberry24.com/90ujn3b8c3
danseduchat.com/90ujn3b8c3
harveyventuresltd.com/90ujn3b8c3
noveltybella.com/90ujn3b8c3
www.proxiassistant-ao.com/90ujn3b8c3
www.sacandolalengua.com/90ujn3b8c3

The payload is Locky ransomware with a detection rate of 3/52. The same source says that C2 locations are:

89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)

Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:

89.108.84.42
148.163.73.29

UPDATE 2016-07-08

A variant of this spam run is in progress which adds the words RE, FW, Scan, Emailing or File to the random number. A trusted source (thank you) informs me that the download locations for the DOCM files in this case are:

abschlepp-taxi24.at/87yg5fd5
caijiachina.com/87yg5fd5
drpampe.com/87yg5fd5
felicecremesini.com/87yg5fd5
fermmedia.com/87yg5fd5
gebrauchtkauf.at/87yg5fd5
kurumenishimura.com/87yg5fd5
manutenzionecarrier.com/87yg5fd5
seferworld.com/87yg5fd5
snupress.com/87yg5fd5
themeidea.com/87yg5fd5

A malicious file is dropped with a detection rate of 3/55 which then phones home to the following server:

51.255.172.55 (OVH, France)

I recommend that you blog traffic to that IP.

Malware spam: "report" / "I致e attached the report you asked me to send." leads to Locky

This spam has a weird problem with its apostrophe and comes with a malicious attachment:

From:    Kris Ruiz
Date:    28 June 2016 at 10:38
Subject:    report

Hi info,

I致e attached the report you asked me to send.


Regards


Kris Ruiz
Head of Finance UKGI Planning

The details of the sender will vary from message to message.

Attached is a ZIP file containing components of the recipient's email address and the words "report" and/or "pdf". Contained within is a malicious .js script file with a name starting with "swift".

This analysis comes from a trusted third party (thank you again). The script downloads a file from one of the following locations:

300tomoli.it/j8m7ktu
4k18.com/dfg4ad
adbm.co.uk/q2bmmhz
atlantaelectronics.co.id/xe1370n
bbmarilu.it/hkl9d
bbvogliadimare.it/il4cc3e
bibliadarkorbit.za.pl/i59j41zo
bisericaromaneasca.ro/trslckn
bobbysinghwpg.com/x42honx
bordur32.ru/re23zcb7
cameramartusa.info/u0uolg9
centrosportivoiunco.it/e8uxd
certifiedbanker.org/qjxfba
cond.gribochechki.ru/1vmcl8l
depaardestal.nl/3vfr61
dobramu.za.pl/4pc3kd9p
dragon.obywateleuropy.eu/4u22bfst
dugganinternational.ca/ksx6dv7
edilperle.it/d1mys2g
euro-support.be/xaf5349p
focolareostuni.it/oqtkiw
ft.driftactive.za.pl/7b03ffv
fuckcraft.xorg.pl/8cn8zeo
hate-metal.com/kgp8v
hudebiah.net/nskx4
ilbalconcino2011.it/e4ao4kky
ingstroymash.ru/cwiivhxu
jd-products.nl/t57vc86
marxforschung.de/0e7ac
mr2peter.de/o5ci15o
mycreativeprint.com/w3d7z6
namifitnessclub.it/f6hi6k
newgeneration2010.it/gupwqe1
potolok-profit.ru/q39aie
sprintbus.com.pl/9h7b0qnx
staffsolut.nichost.ru/jwz8i9
stbb.pt/40gnvp9a
tanie-pranie.za.pl/9e607
tip.ub.ac.id/v9wcojln
turniejkrzyz.za.pl/he2013lf
usdavetrana.it/dn81o
vonenidan.de/m3mmis
www.centroinfantilelmolino.com/qtuuvm2
www.johnlodgearchitects.com/haqew
www.pececitos.com/9ehkrke

The file is then decrypted (although I don't have a sample yet) and appears to be Locky ransomware. It phones home to the following servers:

109.234.35.71 (McHost.ru, Russia)
185.146.169.16 (Pavel Poddubniy aka Cloudpro LLC, Russia)
193.9.28.254 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
194.31.59.147 (HostBar, Russia)
195.123.209.227 (Layer6 Networks, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)

Recommended blocklist:
109.234.35.71
185.146.169.16
193.9.28.254
194.31.59.147
195.123.209.227
217.12.223.88
217.12.223.89

Malware spam: "Requested document" / "The document you requested is attached" leads to Locky

This spam comes from various senders, and leads to Locky ransomware:

From:    Trudy Bonner
Date:    27 June 2016 at 15:39
Subject:    Requested document

Dear [redacted],

The document you requested is attached.

Best regards


Trudy Bonner
Group Director of Strategy

Attached is a ZIP file containing elements of the recipients email address, the words "document", "doc" or "scanned" plus a random number. Contained within is a random .js script beginning with unpaid.

Trusted external analysis (thank you as ever) shows the scripts downloading from one of the following locations:

192.186.246.134/~advancedptr/4kw2yb
210.171.0.30/~akfa8701/76p9su
216.218.93.172/~thelma2/7a4q7knx
217.172.226.2/~redpaluch/8ji21s5
217.172.226.2/~vikolor/3pdqsh
300tomoli.it/0qgidk55
3141592.ru/rvhijql
4k18.com/lpschs
80.244.134.169/x4jzt5
82.140.32.172/~hoddl/4etb1e1
adbm.co.uk/104ky
addonworks.com/aaotksj
angeelle.nichost.ru/sf0bm5rz
arogyaforhealth.com/apqbmvr
asliaypak.com/zcubi7
atlantaelectronics.co.id/kjdfbm
babycotsonline.com/hiy96z
beautifulhosting.com.au/ljtxwrr4
bisericaromaneasca.ro/amfcy
bobbysinghwpg.com/fx1jpyt
cameramartusa.info/qaghx
camera-test.hi2.ro/5w9tcm
certifiedbanker.org/faplav8m
clients.seospell.co.in/8jq6cu
climairuk.com/bv7haqcm
cond.gribochechki.ru/v84pn
delicious-doughnuts.net/t81of0k
empiredeckandfence.com/8wytfp
euro-support.be/jo1s8r3k
focolareostuni.it/1tl199rq
hudebiah.net/vyz44p8
immoclic.o2switch.net/mpzkos32
ingstroymash.ru/vi4hwfp
jd-products.nl/msjswnn
mycreativeprint.com/f9qa60q
potolok-profit.ru/w9oyt
sherlock.uvishere.com/2ujlndd
staffsolut.nichost.ru/wif31sug
tip.ub.ac.id/bzrnweoo
www.centroinfantilelmolino.com/2sgw0ch

The malware phones home to the following hosts:


51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
109.234.35.71 (McHost.ru, Russia)
185.82.216.61 (ITL, Bulgaria)
185.146.169.16 (Pavel Poddubniy aka CloudPro, Russia)
195.123.209.227 (ITL, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)

Lots of ITL recently... you might want to block /24s here instead of single IPs.

Recommended blocklist:
51.254.240.48
109.234.35.71
185.82.216.61
185.146.169.16
195.123.209.227
217.12.223.88
217.12.223.89

Malware spam: DOC1234 / document4321 / Document56789 leads to Locky

This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't).

The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.

Some examples

Subject: DOC541887
Attachment: DOC541887.zip

Subject: document36168
Attachment: document36168.zip

Subject: Document453567810
Attachment: Document453567810.zip

Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:

calcoastlogistics.com/09ujnb76v5?yNVICJbit=nFikKFve
labthanhthanhpg.com/09ujnb76v5?yNVICJbit=nFikKFve
patmagifts.asia/09ujnb76v5?yNVICJbit=nFikKFve
shadowbi.com/09ujnb76v5?yNVICJbit=nFikKFve
www.tmdmagento.com/09ujnb76v5?yNVICJbit=nFikKFve

Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
185.82.216.61 (ITL, Bulgaria)

Recommended blocklist:
51.254.240.48
217.12.223.88
195.123.209.227
185.82.216.61

Malware spam: "Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter."

This malicious spam leads to Locky ransomware, something that we haven't seen for several weeks:

From:    Lilian Fletcher
Date:    21 June 2016 at 20:01
Subject:    Re:

Dear lisa:

Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.

Hoping the above to your satisfaction, we remain.

Sincerely,
Lilian Fletcher
Head of Maintenance

These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words addition, invoice or services plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition".

A trusted third-party analysis (thank you, you know who you are) shows download locations at:

204.232.192.84/abjvucr
akdenizozalit.com/ixoxi
allchannel.net/lue6c4
aloprint.com/bk0f2
arabian-star.com/nay7jq7
beluxfurniture.com/0jcxx
cbactive.com/1sdfs
clerici.info/g1sd5d59
depaardestal.nl/z5htsm
ding-a-ling-tel.com/bazk3kao
easysupport.us/fl85xie
ekonova.nazwa.pl/wc0coj
ft.dol.za.pl/ymsikgp7
fuji-mig.com/awcigpa1
futuretech-iq.net/koqpy
handicraftmag.com/mrihc
heavenboundministry.com/i7a59qj
hrlpk.com/s5ibqz1
hyip-all.com/9qwmc65
iminlife.com/cqoanbzr
infocuscreative.net/didt48j
innatesynergy.com/mrgdve3
jasoncoroy.com/szlzqni
kitchenconceptagra.com/5s9xb7j
komplettraeder-24.de/w61qx92
marxforschung.de/tt18a
modelestrazackie.za.pl/zfww8nx
otolocphat.com/bv2n241r
passagegoldtravel.com/bqugo3qb
pawelbuczynski.za.pl/z1q8u
percorsipsicoarte.com/6gz707c
pub-voiture.com/dcsjrjm
racedayworld.com/808k8pd
reginamargherita96.net/hhtvomcw
rzezba-bierowiec.za.pl/y7fbo1a
samrhamburg.com/jrh9b
scpremiumbikes.com/3y1b0n4s
searchforamy.com/1fz0k9kp
stbb.pt/z59ifwj
stckwt.net/p4jlk
testfacility.awsome.pl/zc73v
totalsportnetwork.com/kpbrp2mq
ugmp.nazwa.pl/xkhhf2n
unitedprogamers.za.pl/ylxt67
vantagenetsvc.com/a7xssz
vinabuhmwoo.com/69udv
wasearch.us/6mm3hk
wbksis.com/5mxl28il
yourworshipspace.com/a3py3w

Analysis by those parties shows that it phones home to:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
217.12.223.83 (ITL, Ukraine)

As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.

Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
217.12.223.83

Malware spam: "Neue Abrechnung Nr. 746441" / support@sipcall.de

This German-language spam has a malicious attachment:

From:    support@sipcall.de
Date:    27 May 2016 at 10:57
Subject:    Neue Abrechnung Nr. 746441


Guten Tag

Im Anhang erhalten Sie die neue Rechnung des vergangenen Monates mit der Abrechnungsnummer 746441.

Für eine fristgerechte Bezahlung danken wir Ihnen. Bei Fragen oder Anregungen steht Ihnen unser Kundendienst gerne zur Verfügung.


Freundliche Grüsse
Ihr VoIP Provider


Dies ist eine automatisch generierte Nachricht. Antworten auf diese E-Mail können nicht bearbeitet werden.

Reference numbers vary. Attached is a randomly-named Word document (e.g. INV842038-746441.docm). The sample I submitted to Malwr showed it downloading a binary from:

www.ding-a-ling-tel.com/98yh87nb6v4

Other sources indicate additional download locations at:

egadget.ru/98yh87nb6v4
www.samrhamburg.com/98yh87nb6v4
bridgeplacements.com/98yh87nb6v4
birlesimsucuklari.com/98yh87nb6v4
ecpi.ro/98yh87nb6v4
wondervalley.in/98yh87nb6v4
acnek.com/98yh87nb6v4
cacpa.org/98yh87nb6v4
cobrebactericida.org/98yh87nb6v4
greenwfms.com/98yh87nb6v4
iwebmediasavvy.com/98yh87nb6v4
projectodetalhe.pt/98yh87nb6v4
renaudsfurniture.ca/98yh87nb6v4
saintkatherine.orthodoxy.ru/98yh87nb6v4
www.orchidealito.it/98yh87nb6v4

There are probably other locations too.

An executable is dropped with a detection rate of 3/56. The Hybrid Analysis and DeepViz report both indicate different phone-home locations:

193.9.28.13 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
5.152.199.70 (Redstation, UK)

Private sources also indicate C2s at:

212.109.219.31 (JSC Server, Russia)
107.181.187.12 (Total Server Solutions, US)

The payload is Locky ransomware.

Recommended blocklist:
193.9.28.13
5.152.199.70
212.109.219.31
107.181.187.12

Malware spam: "Please find attached a document containing our responses to the other points which we discussed.."

This spam appears to come from different companies and senders, and has a malicious attachment:

From:    Sara Osborne
Date:    26 May 2016 at 10:53
Subject:    RE:

Dear sales,

Please find attached a document containing our responses to the other points which we
discussed on Monday 23th May.

Please let me know if you have any queries


Regards,

Wayfair Inc.

Sara Osborne

Attached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56.

Two samples analysed by Malwr [1] [2] show download locations from:

newgeneration2010.it/mkc27f
projectodetalhe.pt/do5j36a

There will be many other download locations too. These drop two different binaries (VirusTotal results [3] [4]). Those two VT results plus these two DeepViz analyses [5] [6] show the malware phoning home to:

138.201.93.46 (Hetzner, Germany)
107.181.187.12 (Total Server Solutions, US)
212.109.219.31 (JSC Server, Russia)
5.152.199.70 (Redstation, UK)

This behaviour is consistent with Locky ransomware.

Recommended blocklist:
138.201.93.46
107.181.187.12
212.109.219.31
5.152.199.70

Malware spam: "Please find attached the file we spoke about yesterday" leads to Locky

This spam appears to come from random senders, and leads to Locky ransomware:

From:    Graham Roman
Date:    23 May 2016 at 11:59
Subject:    Re:

Hi [redacted]

Please find attached the file we spoke about yesterday.

Thank you,
Graham Roman
PCM, Inc.

Attached is a ZIP file starting with copy_invoice_ and then a random sequence. This contains a malicious script file which in the sample I analysed downloads an obfuscated binary from:

oakidea.com/by2eezw8
islandflavaja.com/0p1nz
dragqueenwig.com/itukabk

Automated analysis of the script [1] [2] shows it dropping a file klA1KMQj2D.exe which has a VirusTotal detection rate of 5/56. Those prior reports plus these additional analyses of the binary [3] [4] [5] show network traffic to:

188.166.168.250 (Digital Ocean, UK)
31.41.44.45 (Relink Ltd, Russia)
92.63.87.53 (MWTV, Latvia)

Those reports all demonstrate clearly that this is Locky ransomware, although the barely encrypted downloaded binaries are a new feature.

UPDATE

Trusted third-party analysis (thank you) shows some additional download locations:

4cornerbazaar.com/rcjmp
ap-shoes.com/r3mkkch
b2cfurniture.com.au/ztydt7
babyhalfoff.com/di286c
bekith.com/twe4puv
canalshopping.com.br/kf5d9
ereganto.com.br/4bxi09t
farmavips.com/hlnl21tf
fina-mente.com/kitrl2
hablatinamerica.com/mkhxrsm
jhplhomedecor.com/m637g
joyofgiving.com.au/1b6v94yu
la-mousson.de/pxwimc
lojaonline.eurobar.pt/kmdb4euf
maibey.com/bakcy9s
metallerie.com/uh0kd
mymy365.com/d7bd2
objetsdinterieur.com/0p1nz
peptide-manufacturer.com/jc6pxks
pro-lnz.com/9ed5v5v
promotionalsales.com.au/0iobfbwc
store.steelalborz.com/fw4i3ssf
stylelk.com/12opjwfh

The MD5s of decrypted downloaded files are:

0cef8d79dd32b5701768ffb3e80dd6c9
18e1591325994d60468e58b30bd47ec7
1e1b9729198cb392636ad4b8ec880284
1eacf23630db85c2af07d2657c1a0917
2742891aff1f20ee09a67d29c5b4157d
2f7373602c67761a1666c3170a0adfd9
4f4d754ffb9b33c5b2b7ec6c38dc6a30
517c1805c2b805a801a6132bfd9d7a69
64eef31dc4cd4dc1ca51b6686e4cdaa1
6fc220a8b95e2167c21d0e1f91a516cb
73552fcfff60a171965103d691679b43
8108de8bf200d4baa62541e9eeca2ee4
9125956e3ee99b9f59b595fcba9ac658
9da331f4353f5b0033c162eb308a8197
a01d60682ad5fadc9018908185e8cde3
aceec3d6334e925297efc8d4232473c2
afd40dca335530ec993d9cf91be96b4c
d69adb50c7f2436f5f7502f22b3a5714
dab81432d4d6241e47d7110b8d051f41
de6c020b8639fda713fbe2285dc6740c
eb3391cefb6634e587b58e0d6540c7c3
fb56f158f6f4c81f7bed2a7c4490fadb

One additional C2 server:

176.31.47.100 (Unihost, Seychelles / OVH , France)

Recommended blocklist:
188.166.168.250
31.41.44.45
92.63.87.53
176.31.47.100