Category: Malspam

Z

ZIP File Containing HTA File Leads to Locky Ransomware

IOCs: 121.200.60.26 – onushilon.org/56f2gsu782desf – GET request for payload Hashes: SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7 File name: 20160920034329138280504.zip SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66 File name: QL5LY62838.hta SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d File name: iIrfSCB1 SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e File name: iIrfSCB1.dll Infection Chain: The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip ...

&

“Delivery Confirmation” Leads to Locky Ransomware

IOC: 49.212.150.106 – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl Hashes: SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29 File name: UCCNTXS1519.js SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a File name: giHhrMNI1.dll   SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0 File name: giHhrMNI1 The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below: Notice how the email contains a ...

Z

ZIP’D JScript File Leads to Malware (boxun4.bin)

IOCs: Sub-domains at .adultgameapp.ru and proadultgame.ru I received some malspam on 9/2/16 entitled “Take easy steps on the ladder of happiness”. The email address of the sender was tqdwsaltpan@wavesboatclub.com and it was supposedly from a “Bettie K. Letbetter”: Allowing pictures to be displayed in the email shows sexually explicit content. Clicking on the link “Lecherous ...

Z

ZIP’d WSF File Retrieves Locky Ransomware

IOCs: 82.197.131.109 – imex.atspace.com – GET /sxqtddp?VlwYKkCOYvI=axCugUhsM 213.205.40.169 – archiviestoria.it – GET /waotorf?VlwYKkCOYvI=axCugUhsM 69.195.129.70 – tlehsdy.biz – POST /data/info.php Hashes: SHA256: 010b6da42c0b377f4b28fbcaa1268f046eeb403a3eb79dfb395fc3c2c0daa85e File name: xVTvTcaaG1 SHA256: 4baf40fe1c7fafd89befe4f2e2bd36aefc8a4faf395631d8bac20e09e372725b File name: xVTvTcaaG2 SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7 File name: xVTvTcaaG2.dll The infection starts with a user getting malspam. This email is coming from a iCloud account and it contains a ...

Z

ZIP’d WSF File Drops Locky Ransomware

IOCs: 62.42.230.17 – http://www.malicioso.net – GET /ulndads?wQPDjpgBhgm=jNgqRaGXM 62.42.230.17 – http://www.idiomestarradellas.com – GET /dhxpkuh?wQPDjpgBhgm=jNgqRaGXM 167.114.138.3 – maxshoppppsr.biz – GET /js/vf3gt4b4?wQPDjpgBhgm=jNgqRaGXM 69.195.129.70 – tlehsdy.biz – POST /data/info.php 91.223.180.66 – cufrmjsomasgdciq.pw – POST /data/info.php Hashes: SHA256: 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575 File name: asWMWhWmB3.dll and asWMWhWmB1.dll SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7 File name: asWMWhWmB2.dll The user received the following malspam: Summary: From: Bertha_145@icloud.com Subject: 39098622pdf ...