blog.dynamoo.com
Open in
urlscan Pro
2a00:1450:4001:813::2013
Public Scan
Submitted URL: http://blog.dynamoo.com/2017/09/malware-spam-status-of-invoice-with-7z.html
Effective URL: https://blog.dynamoo.com/2017/09/malware-spam-status-of-invoice-with-7z.html
Submission: On December 26 via api from BY — Scanned from DE
Effective URL: https://blog.dynamoo.com/2017/09/malware-spam-status-of-invoice-with-7z.html
Submission: On December 26 via api from BY — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
DYNAMOO'S BLOG
Malware, spam, scams and random stuff, by Conrad Longmore.
LINK LIST
* Blogger.com
* Dynamoo's Blog
* Dynamoo.com
* Get Updates on Twitter
SPONSORED BY..
MONDAY 18 SEPTEMBER 2017
MALWARE SPAM: "STATUS OF INVOICE" WITH .7Z ATTACHMENT
This spam leads to Locky ransomware:
> Subject: Status of invoice
> From: "Rosella Setter" ordering@[redacted]
> Date: Mon, September 18, 2017 9:30 am
>
> Hello,
>
> Could you please let me know the status of the attached invoice? I
> appreciate your help!
>
> Best regards,
>
> Rosella Setter
>
> Tel: 206-575-8068 x 100
>
> Fax: 206-575-8094
>
> *NEW* Ordering@[redacted].com
>
> * Kindly note we will be closed Monday in observance of Labor Day *
The name of the sender varies. Attached is a .7z arhive file with a name similar
to A2174744-06.7z which contains in turn a malicious .vbs script with a random
number for a filename (examples here and here).
Automated analysis of those two samples [1] [2] [3] [4] show this is Locky
ransomware. Those two scripts attempt to download a component from:
yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?
An executable is dropped with a detection rate of 19/64 which Hybrid Analysis
shows is phoning home to:
91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)
.7z files are popular with the bad guys pushing Locky at the moment. Blocking
them at your mail perimiter may help.
Recommended blocklist:
195.123.218.226
91.191.184.158
Posted by Conrad Longmore at 10:11
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Bulgaria, Estonia, Locky, Malware, Ransomware, Spam, Viruses
NO COMMENTS:
Post a Comment
Newer Post Older Post Home
Subscribe to: Post Comments (Atom)
SUBSCRIBE TO
Posts
Atom
Posts
Comments
Atom
Comments
POPULAR POSTS
* Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges (2021
edition)
It's been about a zillion years (well, OK it was 2017) when I last published
a list of IPs belonging to 3NT Solutions LLP that you proba...
* "Central Intelligence Agency - Case #79238516" extortion spam
I've seen various extortion spams over the past 12 months or so, but this one
has a particularly vicious twist. If you haven't s...
* Websites owned by Philip John Sabin and associated companies
Apropos of nothing, all these websites are hosted on 212.230.207.100 to
213.230.207.109 (Netcalibre, UK) and appear to be owned and controll...
* Swisscoin [SIC] cryptocurrency spam
Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the
target of a Necurs-based spam run starting on Saturday 13th ...
* New Traffic Light Protocol (TLP) levels for 2018
The Traffic Light Protocol should be familiar to anyone working with
sensitive data, with levels RED, AMBER, GREEN and WHITE being used to ...
* "Best porno ever" Necurs spam
This spam (apparently from the Necurs botnet) promises much, but seems not to
deliver. From: Susanne@victimdomain.tld [Susanne@victi...
* Something evil on 95.163.66.209
There are a bunch of domains being used in injection attacks on 95.163.66.209
(Digital Network JSC, Russia). recently Armorize covered attac...
* Phishing and fraudulent sites hosted on 188.241.58.60 (Qhoster)
Nigerian registrants. Dodgy Eastern European host offering bulletproof and
anonymous hosting. Yup, I very much doubt there is anything le...
* Malware spam: "New documents available for download" /
service@barclaysdownloads.co.uk / barclaysdownloads.com
This fake Barclays spam seems to lead to the Trickbot banking trojan. From
: Barclays [service@barclaysdownloads.co.uk] Date : 10...
* Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"
This fake Amazon spam comes with a malicious attachment: Subject :
Invoice RE-2017-09-21-00794 From : "Amazon Marketp...
BLOG ARCHIVE
* ► 2021 (1)
* ► February (1)
* ► 2020 (1)
* ► November (1)
* ► 2019 (1)
* ► March (1)
* ► 2018 (6)
* ► May (3)
* ► April (1)
* ► March (1)
* ► January (1)
* ▼ 2017 (45)
* ► December (1)
* ► October (5)
* ▼ September (6)
* Malware spam: "Emailing: Scan0xxx" from "Sales" de...
* Malware spam: "AutoPosted PI Notifier"
* Malware spam: "Invoice RE-2017-09-21-00xxx" from "...
* Malware spam: "Status of invoice" with .7z attachment
* QTUM Cryptocurrency spam
* Malware spam: "Scanning" pretending to be from tay...
* ► August (7)
* ► July (3)
* ► June (2)
* ► May (2)
* ► April (10)
* ► March (4)
* ► February (2)
* ► January (3)
* ► 2016 (326)
* ► December (10)
* ► November (25)
* ► October (16)
* ► September (23)
* ► August (15)
* ► July (21)
* ► June (12)
* ► May (26)
* ► April (23)
* ► March (50)
* ► February (44)
* ► January (61)
* ► 2015 (388)
* ► December (50)
* ► November (38)
* ► October (40)
* ► September (26)
* ► August (26)
* ► July (22)
* ► June (23)
* ► May (12)
* ► April (38)
* ► March (34)
* ► February (39)
* ► January (40)
* ► 2014 (386)
* ► December (25)
* ► November (26)
* ► October (35)
* ► September (46)
* ► August (31)
* ► July (37)
* ► June (28)
* ► May (27)
* ► April (23)
* ► March (32)
* ► February (41)
* ► January (35)
* ► 2013 (546)
* ► December (22)
* ► November (27)
* ► October (36)
* ► September (42)
* ► August (41)
* ► July (59)
* ► June (41)
* ► May (39)
* ► April (66)
* ► March (65)
* ► February (60)
* ► January (48)
* ► 2012 (488)
* ► December (48)
* ► November (42)
* ► October (61)
* ► September (34)
* ► August (38)
* ► July (27)
* ► June (33)
* ► May (25)
* ► April (55)
* ► March (57)
* ► February (41)
* ► January (27)
* ► 2011 (192)
* ► December (49)
* ► November (18)
* ► October (23)
* ► September (20)
* ► August (10)
* ► July (22)
* ► June (18)
* ► May (11)
* ► April (11)
* ► March (7)
* ► February (3)
* ► 2010 (152)
* ► December (5)
* ► November (7)
* ► October (18)
* ► September (13)
* ► August (15)
* ► July (32)
* ► June (9)
* ► May (11)
* ► April (14)
* ► March (2)
* ► February (12)
* ► January (14)
* ► 2009 (130)
* ► December (5)
* ► November (13)
* ► October (13)
* ► September (5)
* ► August (9)
* ► July (10)
* ► June (9)
* ► May (13)
* ► April (15)
* ► March (10)
* ► February (16)
* ► January (12)
* ► 2008 (193)
* ► December (11)
* ► November (16)
* ► October (28)
* ► September (25)
* ► August (20)
* ► July (22)
* ► June (33)
* ► May (5)
* ► April (8)
* ► March (11)
* ► February (6)
* ► January (8)
* ► 2007 (52)
* ► December (3)
* ► November (1)
* ► October (2)
* ► September (3)
* ► August (8)
* ► July (7)
* ► May (9)
* ► April (6)
* ► March (4)
* ► February (3)
* ► January (6)
LABELS
Spam (2119) Viruses (1817) Malware (1802) Russia (374) DOC (352) Dridex (305)
Scams (234) EXE-in-ZIP (218) RU:8080 (208) Amerika (207) Ukraine (171) OVH (167)
Locky (162) Ransomware (153) Evil Network (146) Germany (137) Job Offer Scams
(136) Money Mule (121) Stupidity (98) France (87) Linode (87) Hetzner (86) SQL
Injection (83) Lapatasker (78) Injection Attacks (69) Turkey (68) China (67)
Latvia (66) Netherlands (66) GoDaddy (61) Canada (59) Dyre (52) Upatre (51)
Romania (50) Asprox (49) Phishing (45) BBB (43) NACHA (43) Printer Spam (42)
India (40) LinkedIn (40) Mongolia (39) ThreeScripts (39) Domains (38) Facebook
(38) INTUIT (38) DINETHOSTING (37) Amazon (35) Banking (35) ADP (32) Bulgaria
(31) Fake Pharma (31) Fax Spam (31) Microsoft (31) Scam (29) 1&1 (28) Korea (28)
Nigeria (28) Endurance International Group (27) Redret (27) Thailand (27) IRS
(25) Spain (25) Trojans (25) Lithuania (24) Moldova (24) Poland (24) Pump and
Dump (24) .SU (23) Brazil (23) Fail (23) Italy (23) TheFirst-RU (23) Nuclear
Fallout Enterprises (22) SMS (22) Malvertising (21) UPS (21) USPS (21) Google
(20) eFax (20) Joe Job (19) Leaseweb (19) PayPal (19) Vietnam (19) Teslacrypt
(18) Blackhole (17) Sweden (17) HMRC (16) Slicehost (16) Advanced Fee Fraud (15)
Australia (15) Dating Scams (15) Gandi (15) Hungary (15) Phones (15) Serverius
(15) Taiwan (15) Zbot (15) Angler EK (14) Czech Republic (14) PDFs (14) Serbia
(14) AICPA (12) False Positive (12) PPI (12) Pakistan (12) R5X.org (12) South
Africa (12) Adware (11) GHOSTnet (11) Greece (11) Jolly Works Hosting (11)
NAPPPA (11) Somnath Bharti (11) US Airways (11) inferno.name (11) BizSummits
(10) CA (10) Estonia (10) F3Y (10) FedEx (10) Intergenia (10) Israel (10)
Singapore (10) Specialist ISP (10) Transnistria (10) security (10) 419 (9) CNN
(9) Cryptowall (9) Porn (9) UAE (9) eTrust (9) Android (8) Apple (8) CyberBunker
(8) Japan (8) Patches (8) Politics (8) Simply Transit (8) Solar VPS (8)
Switzerland (8) Zerigo (8) Anti-Virus Software (7) Argentina (7) Black Hat (7)
Colombia (7) Dropbox (7) Egypt (7) Fake Anti-Virus (7) Fiji (7) Kenya (7)
Montenegro (7) Sagade Ltd (7) Saudi Arabia (7) UK2.NET (7) Adobe (6) Advertising
(6) Appraisals (6) Chile (6) Dynamic DNS (6) IPMA (6) Institute of Project
Management America (6) Ireland (6) Kazakhstan (6) Mystery Shopper (6) Netserv
Consult SRL (6) Sky (6) UkrStar ISP (6) Voice Mail (6) Webazilla (6) Austria (5)
Bogus Ads (5) Bosnia (5) Crime (5) DHL (5) Elstow (5) Google Maps (5) Hacked
sites (5) Hosting (5) Iran (5) Mexico (5) NetTemps Inc (5) PestPatrol (5)
Philippines (5) Piradius.net (5) Postini (5) Privacy (5) Sidharth Shah (5)
Twitter (5) Xeex (5) logol.ru (5) BBC (4) Blogger (4) Bredolab (4) Bundespolizei
(4) Cerber (4) Data Breach (4) Fake Retailers (4) Finance Scams (4) Gary McNeish
(4) Hoax (4) Indonesia (4) Lithunia (4) LizaMoon (4) Nokia (4) Norway (4) Pony
(4) Portugal (4) Senegal (4) Seychelles (4) Shifu (4) Spamcop (4) Tetrus
Telecoms (4) TrickBot (4) VBScript (4) Weather (4) Zeus (4) .htaccess (3) BLNX.L
(3) Blogging (3) Botnet (3) Dubai (3) Emailmovers Ltd (3) Etisalat (3) F-Secure
(3) Finland (3) Firefox (3) Google Streetview (3) HostForWeb (3) Humour (3) Java
(3) Lottery Scam (3) MLM (3) Nymaim (3) Passwords (3) Phishtank (3) Pizza (3)
Police (3) Project Management International (3) SEO (3) Smart Roadster (3) Sweet
Orange (3) Telepests (3) Uzbekistan (3) Vawtrak (3) Video (3) Voxility (3)
Waledac (3) Windows (3) World of Warcraft (3) Yahoo (3) eBay (3) snow (3) Acid
Free Coffee (2) AdWords (2) Bitcoin (2) Blinkx (2) Bob Gatchel (2) Botswana (2)
CareerBuilder (2) Censorship (2) Classmates.com (2) Clickbank (2) Cloudflare (2)
Craigslist (2) DDOS (2) Data Protection (2) DreamHost (2) Exchange (2) Fake
Postcard (2) Hostfresh (2) Hostinger (2) IIS (2) Iframe attacks (2) Internet
Explorer (2) Law (2) MarketBay (2) Maxhosting (2) Mobiquant (2) NA3PA (2) Nadine
Dorries (2) Netdirekt (2) Neutrino (2) New Zealand (2) Nuclear EK (2) OpenX (2)
PHP (2) Palestine (2) Panama (2) Phorm (2) Pinball Corporation (2) Pinterest (2)
Qhoster (2) Retro (2) Samsung (2) Sapphire Town Real Estate (2) Sinowal (2)
Slovakia (2) Spin (2) TDS (2) The Funding Institute (2) Tor (2) Vet (2) Virgin
Media (2) Wikipedia (2) Yohost.org (2) uadomen.com (2) AOL (1) Andromeda (1) Art
Scam (1) Aruba (1) Bedford (1) Bedfordshire (1) Belarus (1) Belize (1) Bing (1)
Blink (1) Brexit (1) Bulgari (1) Computer Misuse Act (1) Conficker (1)
CookieBomb (1) Cryptocurrency (1) DNS (1) Edis (1) Elections (1) Electronics (1)
Email (1) Epsilon (1) Escrow (1) Etiquette (1) Extortion (1) Fast Serv (1)
Fiesta EK (1) FirefoxOS (1) Friendster (1) Funny (1) Gawker (1) Ghana (1) Gogax
(1) Gold Scam (1) Google Drive (1) Google Voice (1) Gumblar (1) HYIP (1)
Hancitor (1) Hetzer (1) Hong Kong (1) Hotbar (1) Iceland (1) Infographic (1)
Kelihos (1) Kidnap (1) LBM (1) LNK (1) Latnet (1) LinkShare (1) Luxembourg.
GoDaddy (1) Macedonia (1) Macintosh (1) Magnitude (1) Malaysia (1) Malware
Viruses (1) Maware (1) Mea Culpa (1) Motorola (1) Mozilla (1) Music (1) NATO (1)
Najada Ltd (1) Nemucod (1) Network Operations Center (1) Networking4Africa.com
(1) New Zealing (1) Paragon Software Group (1) Parcel Mule (1) Paul Aunger (1)
Qatar (1) Relikts BVK (1) Robert G Allen (1) Rootkits (1) SMTP (1) SOCA (1) SOPA
(1) Santrex (1) Serverconnect.se (1) Servia (1) Shifu. Malware (1) Skype (1)
Slimeware (1) SoftLayer (1) Spam Scams (1) Spam. Malware (1) Spoofing (1) SpyEye
(1) Symantec (1) Syria (1) Sysprep (1) T-Mobile (1) TopSites (1) Tunisia (1)
Tylers Coffees (1) Upatre. Dyre (1) Vietname (1) Viruse (1) Viruses. DOC (1)
Viruses. Dyre (1) Vline Ltd (1) WTF (1) Worm (1) XSS (1) YouTube (1) Zero Day
(1) Zombies (1) ZoneAlarm (1) gambling (1) hardware (1) microlines.lv (1)
pddomains.com (1) review (1) theciosummits.org (1)
LINKS
* Retromobe
* Mobile Gazette
* Petrol Direct
* Slimeware
* The Truth about Conrad Longmore
Never email donotemail@wearespammers.com . Powered by Blogger.
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk