Back to Posts

TCKT+xxxxxx.vbs drops Locky DLL(s)

Posted in vbs, ransomware

TCKT+xxxxxx.vbs drops Locky DLL(s)

Payload: TCKT+066E4DB.vbs Link

Detection ratio: 7 / 55

MD5: f04e73d91f90a83dc995e6fac6528bb8
SHA1: 15d74e4f230ee2f6b118a6e54707941cef85936a
SHA256: 4c135f0e314843d9eb8f456227d7d5f7fb716a4169f77f0aa8ff15abf120ade1
File type: VBScript

image-title-here


VBScript Downloads a Win32 DLL from the following locations:

domain uri ip
ivankhoo.com /r320590e 103.6.196.95
patriciaclarkfinley.com /rmt972e 207.204.15.12
intesols.com /sbzr0y 182.160.162.36
fleckmomus.net /32afv 213.176.241.230, 67.171.65.64, 138.201.244.4
eccakamba.com /3iz5b4 213.176.241.230, 67.171.65.64, 138.201.244.4


image-title-here


Network Signatures:
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download
[1:2007671:15] ET POLICY Binary Download Smaller than 1 MB Likely Hostile
[1:2008438:17] ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
[1:2019822:7] ET CURRENT_EVENTS WinHttpRequest Downloading EXE
[1:2022653:2] ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension
[1:2821569:5] ETPRO TROJAN Locky CnC checkin Aug 03 2016 M2 A Network Trojan was detected
[1:2404572:4417] ET CNC Ransomware Tracker Reported CnC Server group 173



Payload: r320590e Link

Detection ratio: 7 / 55

MD5: 24c0f8bda812e5910e9a624b5de3da4e
SHA1: 0ae6eb9065781fe6b3ea4920c75ca0d8be9941ae
SHA256: 319484c6490d659fd894653dbfa9aa7235d82fbad0502bf6d058de8fb2a9c62a
File type: Win32 DLL

image-title-here


Payload: rmt972e Link

Detection ratio: 8 / 56

MD5: e8e5c16b0fc0c8310efd3c816a076c54
SHA1: b4b1220b90ca530e0125bc1d843ac34af9d273d6
SHA256: 3d9400f3a8ca7fe42bda64c2595676074a2a36422556d167078cb1b34864ee9a
File type: Win32 DLL


Payload: sbzr0y Link

Detection ratio: 8 / 56

MD5: 2498a6d4c88c85fa27ca64904caffe6d
SHA1: b4896247300c74a9babadefcb2e7ec67eac53220
SHA256: b9550d223a76e16336985b49640095296ed0dc473cdf5e5c7f2738057cb5b655
File type: Win32 DLL


Payload: 32afv Link

Detection ratio: 8 / 56

MD5: 71b6694667ad610525ae53ea99f7cc87
SHA1: 52fae1a5a00b3f739f13c0af8bfedfef32e1c1c7
SHA256: 15eb280554444623789f536766533924cc8e0a50040b4ed5b857f7fa162a0807
File type: Win32 DLL


Payload: 3iz5b4 Link

Detection ratio: 8 / 56

MD5: 28adc3cf866517294a0e30832ec06d4f
SHA1: 1ef95c7f6ea616bbb466073f1b7ebc120b16c515
SHA256: 668bc4c39f09a8d70287e3eed96361d66bab9526f9298abd32c0e075ace164b8
File type: Win32 DLL


image-title-here


Other Downloads:    
outformat.com /ioh0o4h8 166.62.27.145
shawnbrothers[.]com /k2ya14rp 174.127.105.141
bizconsulting[.]ro /jtq0d2 86.35.15.215
bornegazer[.]net /4dix0fd 138.201.244.4, 213.176.241.230, 67.171.65.64
hattchazy[.]com /4jhjqg 138.201.244.4, 213.176.241.230, 67.171.65.64
g2cteknoloji[.]com /veyi83 185.26.144.135
astrainks[.]com /wdb2s8ny 143.95.84.203
batavia-restaurant[.]nl /vk3p2se 185.21.241.41
cokealong[.]com /2ylfay 67.171.65.64
3rock[.]ie /qdq1fv4c 83.138.8.83
bios[.]gr /mwrbr 212.18.228.93
avpschool[.]org /87yfhc?dlGLqetw=qDvGyeQfXnY 103.253.74.231


Locky C2 Servers:
hxxp://194.28.87.26/message.php
hxxp://51.255.107.20/message.php
hxxp://91.239.232.171/message.php
hxxp://93.170.123.119/message.php
hxxp://85.143.215.209/message.php
hxxp://91.230.211.103/message.php
hxxp://185.82.217.88/linuxsucks.php



associated files:
payloads.zip
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

xxxxxx_PDF.vbs drops Locky DLL(s)