API tools faq
paste
VRad

#lokibot_281118

VRad
Nov 28th, 2018
971
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.53 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #lokibot #RAR
  2.  
  3. https://pastebin.com/4hf0UEqM
  4.  
  5. previous_contact:
  6. 16/10/18 https://pastebin.com/LPqjHUkQ
  7. 8/10/18 https://pastebin.com/cZxQGbyq
  8. 27/09/18 https://pastebin.com/5bpk5kKs
  9.  
  10. FAQ:
  11. https://radetskiy.wordpress.com/?s=lokibot
  12.  
  13. attack_vector
  14. --------------
  15. email > attach .jar (RAR) > exe
  16.  
  17. email_headers
  18. --------------
  19. Received: from server.arab2shop.com (unknown [138.201.84.134]) by srv8.victim1.com with smtp
  20. Wed, 28 Nov 2018 04:41:21 +0200
  21. Received: from [127.0.0.1] (port=40460 helo=teba-eg.com)
  22. by server.arab2shop.com with esmtpa (Exim 4.91)
  23. (envelope-from <sflyukon@amosconnect.com>)
  24. Received: from 109.169.61.47 ([109.169.61.47])
  25. (SquirrelMail authenticated user reda@teba-eg.com)
  26. by teba-eg.com with HTTP;
  27. Date: Wed, 28 Nov 2018 04:26:02 +0200
  28. Subject: Request For Quotation
  29. From: "CAPT. ABDIAS B.IGLORIA JR." <reda@teba-eg.com>
  30. Reply-To: sflyukon@amosconnect.com
  31. User-Agent: SquirrelMail/1.5.2 [SVN]
  32.  
  33. files
  34. --------------
  35. SHA-256 1fb3d86022f53b2f1a5ad2a1148429a1d00701e24b528d3703f7e12e0e3081fc
  36. File name XEROV_2811018_pdf.arj [RAR archive data, v1d, os: Win32]
  37. File size 468.04 KB
  38.  
  39. SHA-256 0a8f9dbc48f249d7dbd6791bdf200fd6942826af56d724eb15042abda586b811
  40. File name XEROV_2811018_pdf.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
  41. File size 1.01 MB
  42.  
  43. activity
  44. **************
  45.  
  46. netwrk
  47. --------------
  48. 95.181.178.81 www.tsq-hk{.} com POST /bassltd/bassloki/fre.php Mozilla/4.08 (Charon; Inferno)
  49. 192.162.244.14 www.tsq-hk{.} com POST /bassltd/bassloki/fre.php Mozilla/4.08 (Charon; Inferno)
  50.  
  51. comp
  52. --------------
  53. [System] 95.181.178.81 TIME_WAIT
  54. [System] lombakonram.example.com TIME_WAIT
  55. [System] 192.162.244.14 TIME_WAIT
  56.  
  57. proc
  58. --------------
  59. C:\Users\operator\Desktop\XEROV_2811018_pdf.exe
  60. copy itself to
  61. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  62. then inject
  63. C:\Windows\system32\svchost.exe -k DcomLaunch
  64. C:\Windows\system32\mobsync.exe - Embedding
  65. C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  66.  
  67. persist
  68. --------------
  69. n/a
  70.  
  71. drop
  72. --------------
  73. C:\Users\operator\AppData\Roaming\39B01F
  74. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  75. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  76.  
  77. # # #
  78. rar https://www.virustotal.com/#/file/1fb3d86022f53b2f1a5ad2a1148429a1d00701e24b528d3703f7e12e0e3081fc/details
  79.  
  80. exe https://www.virustotal.com/#/file/0a8f9dbc48f249d7dbd6791bdf200fd6942826af56d724eb15042abda586b811/details
  81. https://analyze.intezer.com/#/analyses/46e43a25-0bce-4565-8044-4d2ad729d97e
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!