Back to Posts

xxxxxx_PDF.vbs drops Locky DLL(s)

Posted in vbs, ransomware

transaction_details_xxxxxx_PDF.vbs drops Locky DLL(s)

Payload: transaction_details_ED8064_PDF.vbs Link

Detection ratio: 18 / 54

MD5: c4808c260c6c7f3bd023a92e7b511fb5
SHA1: b49fab9a49116143ccc59767c6822d1a69b6c489
SHA256: 8719f8ee60279d1e79a7652ed649005fb3c94052b3530ad9bc732e06436eb562
File type: VBScript

image-title-here


VBScript Downloads a Win32 DLL from the following locations:

domain uri ip
animine.com /r1slclp down
bisskultur.de /rawmjx 217.92.135.180
176.9.41.156 /rodru 176.9.41.156
sonsytaint.com /4mgxlrf 138.201.244.4 & 67.171.65.64
koranjebus.net /4rwg5 138.201.244.4 & 67.171.65.64


image-title-here


Network Signatures:
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download
[1:2007671:15] ET POLICY Binary Download Smaller than 1 MB Likely Hostile
[1:2019822:7] ET CURRENT_EVENTS WinHttpRequest Downloading EXE
[1:2022653:2] ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension


image-title-here


Payload: 4mgxlrf Link

Detection ratio: 13 / 53

MD5: a2c2d98dc3612a40b310c61ed56c93f8
SHA1: 25b065b0cc86489d7bef38a61241e75d49b0b30d
SHA256: 82a71f9246eaaed976c46bf3f22bbb3ec5672284120b992be775f76e661301eb
File type: Win32 DLL

image-title-here


Payload: 4rwg5 Link

Detection ratio: 8 / 57

MD5: 24c9f3ecc330257e43fa150d5c6d08ef
SHA1: 97ce5974cf84d9c5a4fb1ec913a37e852762e09b
SHA256: b5390a3d0ef3b1e6ae7759bca88b7f712af931f968054398091778e32c6ca82d
File type: Win32 DLL


Payload: rawmjx Link

Detection ratio: 10 / 57

MD5: 7e70b563733f9e934251f0dc4233c138
SHA1: c0d27b8b6b195e1a53bd42322b271bf1af5e2f07
SHA256: d2ab754ab00916bb9e36f2aacf8652d3bb2c5b9189c417ce4ddf3af738ed8247
File type: Win32 DLL


Payload: rodru Link

Detection ratio: 8 / 56

MD5: 827d74802728d29e9c8f699212572200
SHA1: be6908a438a13af2011f44e73490f9adfa83982a
SHA256: 311e45fca90c6d8a6b4859686236f257d8a49e240ef393c802040293c1900c51
File type: Win32 DLL


Locky C2 Servers:
hxxp://gdqqvfjcskwjodiwq[.]ru/linuxsucks.php
hxxp://ssnoqbdvosm[.]ru/linuxsucks.php
hxxp://jkeaefpim[.]xyz/linuxsucks.php
hxxp://krgrietujjxcgd[.]click/linuxsucks.php
hxxp://pgymkbkkhyni[.]pl/linuxsucks.php
hxxp://81.177.22[.]164/linuxsucks.php
hxxp://185.82.217.88/linuxsucks.php
hxxp://91.234.32[.]202/linuxsucks.php
hxxp://alecjryuw[.]xyz/linuxsucks.php
hxxp://atfnqauojbgrrwkq[.]su/linuxsucks.php
hxxp://xrfhixivdfdwvswqr[.]biz/linuxsucks.php



associated files:
payloads.zip
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme