Category: Malspam

&

“Card Receipt” Leads to Locky (.osiris)

IOCs: 116.255.193.108 – yulexiuba.com – GET /1324w?oohNgc=hswXFnBHeja – Distribution Site Additional Distribution Sites: wiktorek140.cba.pl (95.211.144.65) yourwebstek.nl (185.87.184.130) xxmaoyi.com (120.25.161.125) eroicgrvh38j3f3.com (94.231.77.230) 91.142.90.46 – POST /checkupdate Traffic: Hashes: SHA256: 3fa9335000e47b944dca40defb9107fd2624e73e6ce3efd2de1408afcda9cdea File name: img(194).jse Hybrid-Analysis Link (JS Nemucod) SHA256: 9dde9d37349bf3b28c2e36f514d98b7ce27c580fa8dcf747d0d77bc9480333f6 File name: msTTSUO1 SHA256: 053e51da8f8e2c53f7e11ea305fa8a09554c24a67ef0b4ec0db3eec993ae59a1 File name: msTTSUO1.dll Hybrid-Analysis Link Email: The attached file is a ZIP ...

M

Malspam Leads to Locky (.zzzzz)

IOCs: 185.25.149.13 – xn--pasaer-spb.pl – Distribution Site 139.224.165.195 – temail.com – Distribution Site DNS queries: bqukfjfv.org (69.195.129.70) abwwngsovislmi.info sqoygkkolb.biz vbtjntlcl.info akhsipwfesvxmer.xyz iwswtkibjbsrqj.ru eltbqgwtjmqvf.su hmthqpva.su hxbvgunernmw.pw vqpiuffvpgdop.pw qrdobtle.pw udfkorp.xyz wibcjkwrk.ru szwanrong.com (119.29.99.214) amnclgo.click ktlgpiilbj.biz hhmunlxtxjpv.xyz egxjtbh.work nrkvwucxxqgbi.org qijftdcnky.click Traffic: Hashes: SHA256: ee530b2234501b4d24adfc2505ae940082750fb32d6ed8a4c43cb8342d8b92a7 File name: 201612031056373427451410.vbs Hybrid-Analysis Link SHA256: 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e File name: uQzqIRdHQ.34 SHA256: 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf File name: ...

M

Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)

IOCs: 93.185.104.25 – bestline.cz – GET /76vvyt?cFqotowK=rUUwhHw 37.153.89.141 – carmenortigosa.com – GET /76vvyt?cFqotowK=rUUwhHw 108.163.209.27 – decactus.cl – GET /76vvyt?cFqotowK=rUUwhHw 194.1.239.152 – POST /linuxsucks.php 51.255.107.20 – POST /linuxsucks.php 194.28.87.26 – POST /linuxsucks.php Traffic: DNS Requests: Domain IP Address Country iyemdymjdev.pl qcatgljdsgfvcqq.pw pllyggakgcuto.org moyihqyicfciqf.ru mygyylys.biz uxwamyckkeyfndcrg.xyz odysdabvtgvjqguls.pw bestline.cz 93.185.104.25 Czech Republic decactus.cl 108.163.209.27 United States hrogqamrchfj.info qsrxtej.info ...

&

“Urgent Payment Request” Malspam Leads to Locky (.thor) (/message.php)

IOCs: 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php 176.103.56.119 – POST /message.php 109.234.35.230 – POST /message.php Traffic: DNS Requests: Domain IP Address Country xbgokbdvilnrlw.info cwvmkawujq.su ukyrrqcxd.su jkvhihqdaaoyd.org ihdteyhyewuaid.click bjbsbpmhlpwaxf.pl torproject.org 82.195.75.101 Germany ojxbkeexoqrbirtq.org bqpkcrxsx.su dx-team.org 185.17.41.83 Poland mwddgguaa5rj7b54.onion.to 185.100.85.150 Romania kcnwtdns.pw jyvityqhfggxicasf.pw mwddgguaa5rj7b54.tor2web.org 38.229.70.4 United States Hashes: SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0 File ...

M

Malspam Leads to Locky (.shit) (/linuxsucks.php)

IOCs: 192.186.241.104 – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx 108.168.206.100 – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky 208.100.26.234 – gtlbihmxh.pw – POST /linuxsucks.php Additional Distribution Domains from Hybrid-Analysis Report: sowkinah.com – 62.84.69.75 bagnet.ir – 176.9.129.91 nanrangy.net – 120.117.3.119 Traffic: IDS Alerts: Hashes: SHA256: b1c35b291a296b948758729f9fc775504ec764098dbc5c2e02796ee4ab174e0e File name: Receipt 17577-140426.wsf Hybrid-Analysis Report SHA256: b54802e6f6430c75d0683140ef0529c6603418b4ef602d80e85aaa88fe730c79 File name: AvURdJbXv2.dll Infection Chain: ...

Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)

IOCs: 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC) Traffic: IDS Events: Hashes: SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8 File name: contract_54262.doc SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926 File name: hancitor.dll SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495 File name: ...

J

JScript Downloads Locky Ransomware

IOCs: 166.62.27.144 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 216.87.185.25 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 51.254.108.40 – Locky callback traffic – POST / data/info.php Traffic: Hashes: SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6 File name: DuINsSc1 SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75 File name: DuINsSc2 SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859 File name: DuINsSc2.dll Infection Chain: This is a pretty standard infection chain for Locky right now. The malspam was ...