Category: Malspam

Malspam Leads to Malicous Word Document Which Downloads Geodo/Emotet Banking Malware

Download location where I got the malicious Word document: 192.232.223.76 – kinonah.com – GET /Cust-4762868855/ – Compromised website hosting malicious Word document VirusTotal Report Hybrid-Analysis Report SHA256: d8cfe351daa5276a277664630f18fe1e61351cbf3b0a17b6a8ef725263c0cab4 Additional Word document download locations: 213.190.161.210 – avenueevents.co.uk/Cust-PBP-03-D683320/ 67.212.91.221 – kingstoncybermall.com/Cust-3647227423/ 5.10.105.46 – theuntoldsorrow.co.uk/ORDER.-XI-80-UY913942/ 173.236.177.156 – visuals.com/CUST.-VT-38-RH422386/ 192.254.251.86 – thenursesagent.com/ORDER.-9592209302/ 192.185.148.240 – tiger12.com/TGA-48-76252-doc-May-04-2017/ 192.185.216.220 – gabrielramos.com.br/lxu-3h-ip079-zgmg.doc/ 146.185.16.121 ...

Hacked Sites Redirecting Users to Various Malvertising Campaigns

I had somebody contact me via my Contact page saying that they found my post on the Seamless campaign leading to RIG exploit kit. They had told me that they had received an email with the following link multitaskcleaners[.]co[.]uk/giftwrap.php?1702. He went on to say that going directly to multitaskcleaners[.]co[.]uk redirected him to 194.58.42.227/flow339[.]php. 194.58.42.227 is the same gate from my ...

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...

&

“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs: 211.149.241.201 – phpwind.0592yt[.]com/result – Download location 115.29.247.219 – 902f[.]com/result- Download location 176.114.0.20 – shema.org[.]ua/result – Download location 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location 202.133.118.222 – aqua-inter[.]com/result – Download location 194.28.49.140 – cdsp[.]pl/result – Download location 216.110.144.152 – hanavanpools[.]com/result – Download location 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location 193.201.225.124 – POST /checkupdate – Locky C2 ...

&

“Bill for Papers” Drops Locky (.Osiris) (/checkupdate)

IOCs: 162.144.116.161 – aghadiinfotechforclient.com/jht76gh – Download location found in script 222.124.206.41 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script 199.101.51.76 – livingfreehomeramps.com/jht76gh – Download location found in script 107.180.1.210 – adenadataediting.com/jht76gh – Download location found in script 176.121.14.95 – POST /checkupdate – C2 IP Traffic: Hashes: SHA256: d2984c1181749bc2bd0d2ad56c6d5865d38dee3c29276cb41297f4b20543a544 File name: 765-HIGV0613.wsf Hybrid-Analysis Submission SHA256: 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be ...

&

“Payment Receipt” Drops Locky (.osiris)

IOCs: 62.75.162.77 – test.grafixx.org – GET /098tb?oAzjRAPD=HlElhIQVI Additional Download Locations (contained in obfuscated JS downloader): u-niwon.com/098tb – 218.232.104.232 chanet.jp/098tb – 210.196.232.211 valuationssa.com.au/098tb – 104.27.149.238 More compromised sites being used as download locations (posted by Techhelplist): aetech-solutions.com/098tb – 37.59.51.53 bigtrust.co.kr/098tb – 211.40.221.90 braindouble.com/098tb – 207.45.186.214 haibeiwuliu.com/098tb – 122.114.99.100 laferwear.com/098tb – 97.74.215.147 malamut.org/098tb – 212.85.104.64 markettv.ro/098tb – ...

&

“Card Receipt” Leads to Locky (.osiris)

IOCs: 116.255.193.108 – yulexiuba.com – GET /1324w?oohNgc=hswXFnBHeja – Distribution Site Additional Distribution Sites: wiktorek140.cba.pl (95.211.144.65) yourwebstek.nl (185.87.184.130) xxmaoyi.com (120.25.161.125) eroicgrvh38j3f3.com (94.231.77.230) 91.142.90.46 – POST /checkupdate Traffic: Hashes: SHA256: 3fa9335000e47b944dca40defb9107fd2624e73e6ce3efd2de1408afcda9cdea File name: img(194).jse Hybrid-Analysis Link (JS Nemucod) SHA256: 9dde9d37349bf3b28c2e36f514d98b7ce27c580fa8dcf747d0d77bc9480333f6 File name: msTTSUO1 SHA256: 053e51da8f8e2c53f7e11ea305fa8a09554c24a67ef0b4ec0db3eec993ae59a1 File name: msTTSUO1.dll Hybrid-Analysis Link Email: The attached file is a ZIP ...

M

Malspam Leads to Locky (.zzzzz)

IOCs: 185.25.149.13 – xn--pasaer-spb.pl – Distribution Site 139.224.165.195 – temail.com – Distribution Site DNS queries: bqukfjfv.org (69.195.129.70) abwwngsovislmi.info sqoygkkolb.biz vbtjntlcl.info akhsipwfesvxmer.xyz iwswtkibjbsrqj.ru eltbqgwtjmqvf.su hmthqpva.su hxbvgunernmw.pw vqpiuffvpgdop.pw qrdobtle.pw udfkorp.xyz wibcjkwrk.ru szwanrong.com (119.29.99.214) amnclgo.click ktlgpiilbj.biz hhmunlxtxjpv.xyz egxjtbh.work nrkvwucxxqgbi.org qijftdcnky.click Traffic: Hashes: SHA256: ee530b2234501b4d24adfc2505ae940082750fb32d6ed8a4c43cb8342d8b92a7 File name: 201612031056373427451410.vbs Hybrid-Analysis Link SHA256: 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e File name: uQzqIRdHQ.34 SHA256: 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf File name: ...

M

Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)

IOCs: 93.185.104.25 – bestline.cz – GET /76vvyt?cFqotowK=rUUwhHw 37.153.89.141 – carmenortigosa.com – GET /76vvyt?cFqotowK=rUUwhHw 108.163.209.27 – decactus.cl – GET /76vvyt?cFqotowK=rUUwhHw 194.1.239.152 – POST /linuxsucks.php 51.255.107.20 – POST /linuxsucks.php 194.28.87.26 – POST /linuxsucks.php Traffic: DNS Requests: Domain IP Address Country iyemdymjdev.pl qcatgljdsgfvcqq.pw pllyggakgcuto.org moyihqyicfciqf.ru mygyylys.biz uxwamyckkeyfndcrg.xyz odysdabvtgvjqguls.pw bestline.cz 93.185.104.25 Czech Republic decactus.cl 108.163.209.27 United States hrogqamrchfj.info qsrxtej.info ...

&

“Urgent Payment Request” Malspam Leads to Locky (.thor) (/message.php)

IOCs: 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php 176.103.56.119 – POST /message.php 109.234.35.230 – POST /message.php Traffic: DNS Requests: Domain IP Address Country xbgokbdvilnrlw.info cwvmkawujq.su ukyrrqcxd.su jkvhihqdaaoyd.org ihdteyhyewuaid.click bjbsbpmhlpwaxf.pl torproject.org 82.195.75.101 Germany ojxbkeexoqrbirtq.org bqpkcrxsx.su dx-team.org 185.17.41.83 Poland mwddgguaa5rj7b54.onion.to 185.100.85.150 Romania kcnwtdns.pw jyvityqhfggxicasf.pw mwddgguaa5rj7b54.tor2web.org 38.229.70.4 United States Hashes: SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0 File ...