Locky Downloader adds a Geo IP Check

Forum for analysis and discussion about malware.
Post Reply
c0d3inj3cT
Posts: 7
Joined: Thu Jan 02, 2014 6:29 am
Location: c0d3inj3ct@Twitter
Contact:

Locky Downloader adds a Geo IP Check

Post by c0d3inj3cT » Thu Oct 12, 2017 5:43 am

In the ongoing spam campaign of Locky, there is a small upgrade made by attackers in the delivery mechanism. The VBScript based downloaders have added a Geo IP check. Based on the geographical region in which the user is located, it either downloads Locky or Trickbot.

MD5 hash: 6e2692c124a69566838cde01b7669532

So, now Two in One based on the geographical region the user is located in.

More details here: http://www.pwncode.club/2017/10/locky-b ... check.html

User avatar
maddog4012
Posts: 63
Joined: Mon Aug 04, 2014 6:53 pm

Re: Locky Downloader adds a Geo IP Check

Post by maddog4012 » Thu Oct 12, 2017 12:52 pm

Code: Select all

Domain	                  IP Address	       Port	 
freegeoip.net	          104.31.11.172	        53	 
unhanorarse.info	   49.51.134.78	        53	 
team-bobcat.org	  212.224.65.254	53	
team-bobcat.org	  212.224.65.254	80	
unhanorarse.info	  49.51.134.78	        80	
freegeoip.net	          104.31.10.172	        80	
attached
MD5 hash: 6e2692c124a69566838cde01b7669532
You do not have the required permissions to view the files attached to this post.

Post Reply