Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #lokibot #RAR
- https://pastebin.com/4hf0UEqM
- previous_contact:
- 16/10/18 https://pastebin.com/LPqjHUkQ
- 8/10/18 https://pastebin.com/cZxQGbyq
- 27/09/18 https://pastebin.com/5bpk5kKs
- FAQ:
- https://radetskiy.wordpress.com/?s=lokibot
- attack_vector
- --------------
- email > attach .jar (RAR) > exe
- email_headers
- --------------
- Received: from server.arab2shop.com (unknown [138.201.84.134]) by srv8.victim1.com with smtp
- Wed, 28 Nov 2018 04:41:21 +0200
- Received: from [127.0.0.1] (port=40460 helo=teba-eg.com)
- by server.arab2shop.com with esmtpa (Exim 4.91)
- (envelope-from <sflyukon@amosconnect.com>)
- Received: from 109.169.61.47 ([109.169.61.47])
- (SquirrelMail authenticated user reda@teba-eg.com)
- by teba-eg.com with HTTP;
- Date: Wed, 28 Nov 2018 04:26:02 +0200
- Subject: Request For Quotation
- From: "CAPT. ABDIAS B.IGLORIA JR." <reda@teba-eg.com>
- Reply-To: sflyukon@amosconnect.com
- User-Agent: SquirrelMail/1.5.2 [SVN]
- files
- --------------
- SHA-256 1fb3d86022f53b2f1a5ad2a1148429a1d00701e24b528d3703f7e12e0e3081fc
- File name XEROV_2811018_pdf.arj [RAR archive data, v1d, os: Win32]
- File size 468.04 KB
- SHA-256 0a8f9dbc48f249d7dbd6791bdf200fd6942826af56d724eb15042abda586b811
- File name XEROV_2811018_pdf.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1.01 MB
- activity
- **************
- netwrk
- --------------
- 95.181.178.81 www.tsq-hk{.} com POST /bassltd/bassloki/fre.php Mozilla/4.08 (Charon; Inferno)
- 192.162.244.14 www.tsq-hk{.} com POST /bassltd/bassloki/fre.php Mozilla/4.08 (Charon; Inferno)
- comp
- --------------
- [System] 95.181.178.81 TIME_WAIT
- [System] lombakonram.example.com TIME_WAIT
- [System] 192.162.244.14 TIME_WAIT
- proc
- --------------
- C:\Users\operator\Desktop\XEROV_2811018_pdf.exe
- copy itself to
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- then inject
- C:\Windows\system32\svchost.exe -k DcomLaunch
- C:\Windows\system32\mobsync.exe - Embedding
- C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\operator\AppData\Roaming\39B01F
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
- # # #
- rar https://www.virustotal.com/#/file/1fb3d86022f53b2f1a5ad2a1148429a1d00701e24b528d3703f7e12e0e3081fc/details
- exe https://www.virustotal.com/#/file/0a8f9dbc48f249d7dbd6791bdf200fd6942826af56d724eb15042abda586b811/details
- https://analyze.intezer.com/#/analyses/46e43a25-0bce-4565-8044-4d2ad729d97e
Add Comment
Please, Sign In to add comment