Lokibot_IOC's_15-06-2018

1. #Lokibot #Malware
2. -----------------------------------
3. 15-06-2018 IOC's
4. -----------------------------------
5. Main object- "loki.exe"
6. url http://redsseammgt.com/press/loki.exe
7. sha256 1f128ae91227aa9102f04fc96b596b63728d5ff6b20e87acca89f10247278dcd
8. sha1 de0216228ecca60102982e115c0ba7755004b5f8
9. md5 e535d7e5a4112b50bb26df4e0f75fb98
10. Dropped executable file
11. sha256 C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe 7398b288c6dd32fe9f9fac42113e55d9ed1f0a8480d64c227df0f562433476d7
12. DNS requests
13. domain baobabtreeevent.com
14. Connections
15. ip 45.122.138.6
16. HTTP/HTTPS requests
17. url http://baobabtreeevent.com/lbejulekki/fre.php
18. -------------------------------------
19. Main object- "gboygaloki.exe"
20. url http://redsseammgt.com/gboyega/gboygaloki.exe
21. sha256 70c1105616f0a0490308cdaf270376de211990ae2e5f041b496a6c3451ab04cd
22. sha1 4090cd10d015bc6c03de0f6edf7f2ac746595908
23. md5 753d8faf25d34b477050813685218619
24. Dropped executable file
25. sha256 C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe 0c6a310c22e8d4c6be17e5e9c58f7ca480d342ee1b7629635776d23f15aff110
26. DNS requests
27. domain anchormarineqroup.com
28. Connections
29. ip 45.122.138.6
30. HTTP/HTTPS requests
31. url http://anchormarineqroup.com/loki4/fre.php
32. --------------------------------------
33. Main object- "lokisolda.exe"
34. url http://redsseammgt.com/soldier/lokisolda.exe
35. sha256 f1cd3af375430654bf5d4db067678e733dae49b8ec628c77032f4de382d23c38
36. sha1 1c56a88bb02eb6198e5c890193caf0ac2d204221
37. md5 0f0f5e1d5ffe3e69d54bf7f444ca2566
38. Dropped executable file
39. sha256 C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe 2c95a0d5cc1e816e31e7f1398d2a3331b3b4e0a9d887c89185cb80c6edd725f8
40. DNS requests
41. domain anchormarineqroup.com
42. Connections
43. ip 45.122.138.6
44. HTTP/HTTPS requests
45. url http://anchormarineqroup.com/loki5/fre.php
46. --------------------------------------
47. Main object- "chi.exe"
48. url http://redsseammgt.com/chidera/chi.exe
49. sha256 46add591845b2a82b6130a9d5d8c2da528d605096f50cffcfb70199255a077e8
50. sha1 385e9182423ea1f58e9737eacdc3419fdc3423c0
51. md5 f173bb5ee88c4890f6e6f3ac7ae9ea31
52. Dropped executable file
53. sha256 C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe b72649984b6e0bbfe5bab42cd45c5f988cec5900a0b6b2156757c0882819f22d
54. DNS requests
55. domain xanthis-gr.com
56. Connections
57. ip 45.122.138.116
58. ip 2.16.186.120
59. ip 104.89.34.252
60. ip 2.16.186.97
61. HTTP/HTTPS requests
62. url http://xanthis-gr.com/loki4/fre.php
63. ---------------------------------------
64. Main object- "SCAN.exe"
65. url http://llumar.moscow/administrator/XG/SCAN.exe
66. sha256 93b1d159ba26c81d52af9d66a575489635fa3388377a0f85aa236c53dbbabeac
67. sha1 33ce196889875164f550d1af168967293adeacfe
68. md5 c374d53598b0ced7ebf0e28e73e1bb14
69. DNS requests
70. domain ipm-com.tk
71. Connections
72. ip 195.20.41.61
73. HTTP/HTTPS requests
74. url http://ipm-com.tk/flop/beez/fre.php