SHARE
TWEET

#Lokibot_270918

VRad Sep 27th, 2018 (edited) 219 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Lokibot #ISO #EXE
  2.  
  3. https://pastebin.com/5bpk5kKs
  4. https://radetskiy.wordpress.com/2018/07/05/ioc_digest_0618/
  5.  
  6. email_headers
  7. --------------
  8. X-NAI-ID: 7772_01ea_a50f691a_1c79_4894_82c1_e303d965dcd6
  9. Received: from c268.gconex.com (c268.gconex.com [190.9.33.71] (may be forged))
  10.     by mailsrv.victim.com (8.15.2/8.15.2) with ESMTP id w8R4Va20010545
  11.     for <user1@xyz.victim.com>; Thu, 27 Sep 2018 07:31:47 +0300 (EEST)
  12.     (envelope-from jeanette@strandenes.no)
  13. Received: from h88-150-221-11.host.redstation.co.uk ([88.150.221.11]:54468 helo=User)
  14.     by c268.gconex.com with esmtpa (Exim 4.91)
  15.     (envelope-from <jeanette@strandenes.no>)
  16.     id 1g5NwZ-0002T1-ID; Thu, 27 Sep 2018 08:31:02 +0400
  17. From: "GOLDEN CHARTERING & BROKERAGE LTD/TANKER DESK"<jeanette@strandenes.no>
  18. Subject: TBN PDA REQUEST
  19. Date: Wed, 26 Sep 2018 21:30:27 -0700
  20.  
  21. files
  22. --------------
  23.  
  24. SHA-256 20d5a7200acde7f3abb5e764c85f0fc0f010ace1ca27ea10d263a99f9f1ecb37
  25. File name   Mensaje00200390000490401121REM.SCB (33)-pdf.iso
  26. File size   1.25 MB
  27.  
  28. SHA-256 04cc2d0304e14651386f1fc6536f190223b8fdcd2d17798c0f378ab6734eca5a
  29. File name   Mensaje00200390000490401121REM.SCB (33)-pdf.exe
  30. File size   712 KB
  31.  
  32. activity
  33. **************
  34.  
  35. proc
  36. --------------
  37. "C:\Users\operator\Desktop\Mensaje00200390000490401121REM.SCB (33)-pdf.exe"
  38. "C:\Users\operator\Desktop\Mensaje00200390000490401121REM.SCB (33)-pdf.exe"
  39. copy itself to
  40. C:\Users\operator\AppData\Roaming\39B01F
  41. then inject
  42. C:\Windows\system32\svchost.exe -k DcomLaunch
  43. C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  44. C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  45.  
  46. persist
  47. --------------
  48. no
  49.  
  50. netwrk
  51. --------------
  52. 91.234.99.41    bhosrikayloray{.} com   POST /larindokali/Panel/five/fre.php HTTP/1.0   Mozilla/4.08 (Charon; Inferno) (!) Lokibot_marker
  53.  
  54. MensajeREM.SCB (33)-pdf.exe 1616        91.234.99.41    80  ESTABLISHED
  55. [System Process]        0       91.234.99.41    80  TIME_WAIT
  56. [System Process]        0       91.234.99.41    80  TIME_WAIT
  57. [System Process]        0       91.234.99.41    80  TIME_WAIT
  58.  
  59. # # #
  60. https://analyze.intezer.com/#/analyses/31591c0b-57df-4a01-8b31-d5e8f81a2722
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top