FakeAV/Locker Delivered via Email

This one is a link in an email which downloads a zip requiring the user to extract and run it.

Links:

HTTP Request Method = GET
HTTP URI contains *?php=receipt OR *.php?receipt=* OR *.php?info=* OR *.php?get_receipt=* OR *.php?receipt_print=* OR *.php?print_receipt=* OR *.php?receiptid=*
Regex HTTP URI for “(\.php\?(info|(get_|print_)?receipt|receipt_print|receiptid)=([a-z0-9]{2,}_[0-9]{3,}|[0-9]{6,})|\?php=receipt)”

See examples of FakeAV/Locked Delivered via Email on UrlQuery.net

Extracted file will be something like PostalReceipt.exe

30/45 on VT

If installed you can locate Post Compromise traffic with this

HTTP Method = GET
Regex HTTP URI for (\d\d?\d?\.){3}\d\d?\d?\/[A-F0-9]{80,}$
HTTP Dest Port = 8080 or 60000 or 6667
HTTP User Agent = Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

You can also look for dll.crp which is indicative of Kuluoz.B

HTTP Method = GET
HTTP Dest Port = 8080
HTTP URI = */get/*.dll.crp
Regex HTTP URI for \/get\/[a-z0-9]+\.dll\.crp$
Content-type = application/octet-stream
HTTP User Agent = Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Thanks to @Set_Abominae for helping to keep this updated!

Comments are closed.