Skip to main content



Locky or Trickbot - Campaign and Infrastructure Analysis

The malicious email contained the base64 encrypted 7z compressed file in the email body! and did not arrive as an attachment. I am unable to comprehend why would the attacker send encoded malicious attachment in email body.

The mail with subject "Supplement payment <somenumber>" was received from an ip assigned to an Indonesian dyndns service provider:

The email domain of the sender was "". IBM X-Force Exchange shows the malicious attachments which were sent from this domain

We can see that these are 7z files.

This is the webpage for

I copied the base64 encoded hex to a file called "infected_attach" and then decoded it and piped the output to infectedzip.7z file.

we can see that it is indeed a 7-zip archive file:

I moved the decoded 7z file to my lab and found a vbs inside it

Windows Defender identifies the vbs as VBS/Schopets

 Hash of the vbs 57030ddd567e2bc26e75ef8ac2359079

Strangely VT had 0 detection for this vbs

 I proceeded to deb…

Latest Posts