M2M - Locky Affid=3, ".asasin"/Trickbot "mac1" 2017-11-01 : "Invoice" - "12345_Invoice.doc"
M2M - Locky Affid=3, ".asasin"/Trickbot "mac1" 2017-11-01 : "Invoice" - "12345_Invoice.doc"
AI Analysis
Technical Summary
This threat involves the Locky ransomware family, specifically a variant associated with TrickBot malware, identified around November 2017. Locky is a well-known ransomware that encrypts victims' files and demands payment for decryption. The mention of "M2M - Locky Affid=3, '.asasin'/Trickbot 'mac1'" suggests a campaign or variant that uses TrickBot as a delivery or infection vector. TrickBot is a modular banking Trojan that has evolved to include ransomware deployment capabilities. The reference to an "Invoice" document named "12345_Invoice.doc" indicates a common phishing lure tactic, where malicious documents masquerade as invoices to entice users to open them. Upon opening, these documents typically execute macros or exploit vulnerabilities to download and install TrickBot, which then may deploy Locky ransomware. The technical details are limited, but the threat level is noted as 3 (on an unspecified scale), and the severity is marked as low by the source. No specific affected product versions or patches are listed, and no known exploits in the wild are reported at the time of publication. The threat is categorized under ransomware and malicious code, with ties to the Locky ransomware family and TrickBot malware tool. The campaign appears to rely on social engineering via email attachments to initiate infection chains leading to ransomware deployment.
Potential Impact
For European organizations, this threat poses a risk primarily through phishing campaigns delivering malicious invoice documents. If successful, the infection could lead to encryption of critical business data, causing operational disruption, data loss, and potential financial costs related to ransom payments or recovery efforts. The presence of TrickBot as a delivery mechanism also raises concerns about credential theft, lateral movement, and further malware deployment within networks. Although the severity is currently assessed as low, the combined capabilities of TrickBot and Locky can escalate impact if infections spread. Industries with high volumes of invoice processing, such as finance, manufacturing, and logistics, are particularly vulnerable. Additionally, organizations lacking robust email filtering, endpoint protection, and user awareness training may experience higher infection rates. The threat could also affect supply chains if smaller partners are compromised, leading to broader operational impacts.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting and quarantining phishing emails with malicious attachments, especially those masquerading as invoices. 2. Enforce strict macro policies in Office applications, disabling macros by default and allowing only digitally signed macros from trusted sources. 3. Deploy endpoint detection and response (EDR) tools that can identify TrickBot and Locky behaviors, including unusual process creations and file encryption activities. 4. Conduct regular user awareness training focused on recognizing phishing attempts, particularly those involving financial documents. 5. Maintain up-to-date backups with offline or immutable storage to enable recovery without paying ransom. 6. Monitor network traffic for indicators of TrickBot command and control communications and isolate infected hosts promptly. 7. Apply network segmentation to limit lateral movement if an infection occurs. 8. Use multi-factor authentication to reduce the risk of credential theft exploitation by TrickBot. 9. Regularly update and patch all systems to reduce exposure to exploitation vectors used by TrickBot or other malware components. 10. Collaborate with threat intelligence sharing groups to stay informed about emerging variants and indicators of compromise related to Locky and TrickBot.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- hash: 1949e616ddb130c27c0e65ddb170d5a9
- hash: 4cd6a1c9aaf6ef7445900d94a978dfcb
- hash: 5525cc2e9b021a6c5cda63a7c3a3e9c9
- url: http://cirad.or.id/mnfTRw3
- domain: cirad.or.id
- ip: 202.145.0.45
- url: http://heart-sp.com/mnfTRw3
- domain: heart-sp.com
- ip: 111.68.20.150
- url: http://hilaryandsavio.com/mnfTRw3
- domain: hilaryandsavio.com
- ip: 72.249.127.194
- url: http://internet-webshops.de/mnfTRw3
- domain: internet-webshops.de
- ip: 217.160.224.147
- url: http://givagarden.com/mnfTRw3
- domain: givagarden.com
- ip: 93.186.244.43
- url: http://toptrends.org/ndgHSKFte4
- domain: toptrends.org
- ip: 87.230.95.138
- url: http://celebrityonline.cz/ndgHSKFte4
- domain: celebrityonline.cz
- ip: 78.24.8.144
- url: http://aurea-art.ru/ndgHSKFte4
- domain: aurea-art.ru
- ip: 212.220.124.226
- url: http://transmercasa.com/ndgHSKFte4
- domain: transmercasa.com
- ip: 75.98.175.70
- url: http://envi-herzog.de/ndgHSKFte4
- domain: envi-herzog.de
- ip: 194.116.187.130
- url: http://dotecnia.cl/ndgHSKFte4
- domain: dotecnia.cl
- ip: 72.249.104.96
- url: http://claridge-holdings.com/ndgHSKFte4
- domain: claridge-holdings.com
- ip: 202.160.120.194
- url: http://dalmobil.info/
- domain: dalmobil.info
- url: http://flipcapella.com/KJ63dggs332
- domain: flipcapella.com
- ip: 188.40.94.83
- url: http://hobbystube.net/djskfh824
- domain: hobbystube.net
- ip: 83.220.128.111
- ip: 176.120.126.21
- ip: 156.17.92.161
- ip: 187.191.0.42
- ip: 181.211.34.154
- ip: 200.117.251.52
- ip: 78.24.217.88
- ip: 62.109.1.68
- ip: 195.133.147.74
- ip: 195.133.146.117
- ip: 195.133.146.122
- ip: 78.24.222.226
- ip: 95.213.252.23
- ip: 95.213.251.95
- ip: 194.87.93.55
- ip: 62.109.8.186
- ip: 188.120.246.189
- ip: 194.87.98.249
- ip: 95.213.195.174
- ip: 185.143.173.244
- ip: 194.87.110.113
- ip: 179.43.147.241
- ip: 82.146.43.178
- ip: 185.158.114.114
- ip: 62.109.10.93
- ip: 185.34.52.236
- hash: f4ac7eacaaecdfdcfc9c75e0562ed3c69d814d6455b8aa57cc46bc0301681f87
- hash: a00eaf4174afc4086356f87cc3df1255dd707604
- link: https://www.virustotal.com/file/f4ac7eacaaecdfdcfc9c75e0562ed3c69d814d6455b8aa57cc46bc0301681f87/analysis/1509591920/
- hash: cdb624ad2e278dc12047d4216f8b79d49824db2827be4d626e8108a07683d596
- hash: 0887de24845eb898c5bcaba9139ed701cde61325
- link: https://www.virustotal.com/file/cdb624ad2e278dc12047d4216f8b79d49824db2827be4d626e8108a07683d596/analysis/1509682395/
M2M - Locky Affid=3, ".asasin"/Trickbot "mac1" 2017-11-01 : "Invoice" - "12345_Invoice.doc"
Description
M2M - Locky Affid=3, ".asasin"/Trickbot "mac1" 2017-11-01 : "Invoice" - "12345_Invoice.doc"
AI-Powered Analysis
Technical Analysis
This threat involves the Locky ransomware family, specifically a variant associated with TrickBot malware, identified around November 2017. Locky is a well-known ransomware that encrypts victims' files and demands payment for decryption. The mention of "M2M - Locky Affid=3, '.asasin'/Trickbot 'mac1'" suggests a campaign or variant that uses TrickBot as a delivery or infection vector. TrickBot is a modular banking Trojan that has evolved to include ransomware deployment capabilities. The reference to an "Invoice" document named "12345_Invoice.doc" indicates a common phishing lure tactic, where malicious documents masquerade as invoices to entice users to open them. Upon opening, these documents typically execute macros or exploit vulnerabilities to download and install TrickBot, which then may deploy Locky ransomware. The technical details are limited, but the threat level is noted as 3 (on an unspecified scale), and the severity is marked as low by the source. No specific affected product versions or patches are listed, and no known exploits in the wild are reported at the time of publication. The threat is categorized under ransomware and malicious code, with ties to the Locky ransomware family and TrickBot malware tool. The campaign appears to rely on social engineering via email attachments to initiate infection chains leading to ransomware deployment.
Potential Impact
For European organizations, this threat poses a risk primarily through phishing campaigns delivering malicious invoice documents. If successful, the infection could lead to encryption of critical business data, causing operational disruption, data loss, and potential financial costs related to ransom payments or recovery efforts. The presence of TrickBot as a delivery mechanism also raises concerns about credential theft, lateral movement, and further malware deployment within networks. Although the severity is currently assessed as low, the combined capabilities of TrickBot and Locky can escalate impact if infections spread. Industries with high volumes of invoice processing, such as finance, manufacturing, and logistics, are particularly vulnerable. Additionally, organizations lacking robust email filtering, endpoint protection, and user awareness training may experience higher infection rates. The threat could also affect supply chains if smaller partners are compromised, leading to broader operational impacts.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting and quarantining phishing emails with malicious attachments, especially those masquerading as invoices. 2. Enforce strict macro policies in Office applications, disabling macros by default and allowing only digitally signed macros from trusted sources. 3. Deploy endpoint detection and response (EDR) tools that can identify TrickBot and Locky behaviors, including unusual process creations and file encryption activities. 4. Conduct regular user awareness training focused on recognizing phishing attempts, particularly those involving financial documents. 5. Maintain up-to-date backups with offline or immutable storage to enable recovery without paying ransom. 6. Monitor network traffic for indicators of TrickBot command and control communications and isolate infected hosts promptly. 7. Apply network segmentation to limit lateral movement if an infection occurs. 8. Use multi-factor authentication to reduce the risk of credential theft exploitation by TrickBot. 9. Regularly update and patch all systems to reduce exposure to exploitation vectors used by TrickBot or other malware components. 10. Collaborate with threat intelligence sharing groups to stay informed about emerging variants and indicators of compromise related to Locky and TrickBot.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 1
- Uuid
- 5a044ec0-f460-4e39-921e-cda3950d210f
- Original Timestamp
- 1510257997
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash1949e616ddb130c27c0e65ddb170d5a9 | — | |
hash4cd6a1c9aaf6ef7445900d94a978dfcb | — | |
hash5525cc2e9b021a6c5cda63a7c3a3e9c9 | — | |
hashf4ac7eacaaecdfdcfc9c75e0562ed3c69d814d6455b8aa57cc46bc0301681f87 | - Xchecked via VT: 4cd6a1c9aaf6ef7445900d94a978dfcb | |
hasha00eaf4174afc4086356f87cc3df1255dd707604 | - Xchecked via VT: 4cd6a1c9aaf6ef7445900d94a978dfcb | |
hashcdb624ad2e278dc12047d4216f8b79d49824db2827be4d626e8108a07683d596 | - Xchecked via VT: 1949e616ddb130c27c0e65ddb170d5a9 | |
hash0887de24845eb898c5bcaba9139ed701cde61325 | - Xchecked via VT: 1949e616ddb130c27c0e65ddb170d5a9 |
Url
Value | Description | Copy |
---|---|---|
urlhttp://cirad.or.id/mnfTRw3 | — | |
urlhttp://heart-sp.com/mnfTRw3 | — | |
urlhttp://hilaryandsavio.com/mnfTRw3 | — | |
urlhttp://internet-webshops.de/mnfTRw3 | — | |
urlhttp://givagarden.com/mnfTRw3 | — | |
urlhttp://toptrends.org/ndgHSKFte4 | — | |
urlhttp://celebrityonline.cz/ndgHSKFte4 | — | |
urlhttp://aurea-art.ru/ndgHSKFte4 | — | |
urlhttp://transmercasa.com/ndgHSKFte4 | — | |
urlhttp://envi-herzog.de/ndgHSKFte4 | — | |
urlhttp://dotecnia.cl/ndgHSKFte4 | — | |
urlhttp://claridge-holdings.com/ndgHSKFte4 | — | |
urlhttp://dalmobil.info/ | — | |
urlhttp://flipcapella.com/KJ63dggs332 | — | |
urlhttp://hobbystube.net/djskfh824 | — |
Domain
Value | Description | Copy |
---|---|---|
domaincirad.or.id | — | |
domainheart-sp.com | — | |
domainhilaryandsavio.com | — | |
domaininternet-webshops.de | — | |
domaingivagarden.com | — | |
domaintoptrends.org | — | |
domaincelebrityonline.cz | — | |
domainaurea-art.ru | — | |
domaintransmercasa.com | — | |
domainenvi-herzog.de | — | |
domaindotecnia.cl | — | |
domainclaridge-holdings.com | — | |
domaindalmobil.info | — | |
domainflipcapella.com | — | |
domainhobbystube.net | — |
Ip
Value | Description | Copy |
---|---|---|
ip202.145.0.45 | cirad.or.id | |
ip111.68.20.150 | heart-sp.com | |
ip72.249.127.194 | hilaryandsavio.com | |
ip217.160.224.147 | internet-webshops.de | |
ip93.186.244.43 | givagarden.com | |
ip87.230.95.138 | toptrends.org | |
ip78.24.8.144 | celebrityonline.cz | |
ip212.220.124.226 | aurea-art.ru | |
ip75.98.175.70 | transmercasa.com | |
ip194.116.187.130 | envi-herzog.de | |
ip72.249.104.96 | dotecnia.cl | |
ip202.160.120.194 | claridge-holdings.com | |
ip188.40.94.83 | flipcapella.com | |
ip83.220.128.111 | hobbystube.net | |
ip176.120.126.21 | — | |
ip156.17.92.161 | — | |
ip187.191.0.42 | — | |
ip181.211.34.154 | — | |
ip200.117.251.52 | — | |
ip78.24.217.88 | — | |
ip62.109.1.68 | — | |
ip195.133.147.74 | — | |
ip195.133.146.117 | — | |
ip195.133.146.122 | — | |
ip78.24.222.226 | — | |
ip95.213.252.23 | — | |
ip95.213.251.95 | — | |
ip194.87.93.55 | — | |
ip62.109.8.186 | — | |
ip188.120.246.189 | — | |
ip194.87.98.249 | — | |
ip95.213.195.174 | — | |
ip185.143.173.244 | — | |
ip194.87.110.113 | — | |
ip179.43.147.241 | — | |
ip82.146.43.178 | — | |
ip185.158.114.114 | — | |
ip62.109.10.93 | — | |
ip185.34.52.236 | — |
Link
Value | Description | Copy |
---|---|---|
linkhttps://www.virustotal.com/file/f4ac7eacaaecdfdcfc9c75e0562ed3c69d814d6455b8aa57cc46bc0301681f87/analysis/1509591920/ | - Xchecked via VT: 4cd6a1c9aaf6ef7445900d94a978dfcb | |
linkhttps://www.virustotal.com/file/cdb624ad2e278dc12047d4216f8b79d49824db2827be4d626e8108a07683d596/analysis/1509682395/ | - Xchecked via VT: 1949e616ddb130c27c0e65ddb170d5a9 |
Threat ID: 682b810a8ee1a77b717bdf5b
Added to database: 5/19/2025, 7:05:46 PM
Last enriched: 6/18/2025, 7:35:44 PM
Last updated: 7/30/2025, 9:39:33 PM
Views: 8
Related Threats
ThreatFox IOCs for 2025-08-15
MediumBuilding a Free Library for Phishing & Security Awareness Training — Looking for Feedback!
LowThreatFox IOCs for 2025-08-14
MediumThreatFox IOCs for 2025-08-13
MediumThreatFox IOCs for 2025-08-12
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.