SHARE
TWEET

2019-05-20 - malspam pushing Lokibot

malware_traffic May 20th, 2019 1,078 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-05-20 - MALSPAM PUSHING LOKIBOT
  2.  
  3. INITIAL FILE:
  4.  
  5. - Email sender: sales01@orbit-sc.com
  6. - Email subject: RE: TRANSMITTED L/C OF DENIZLI RATEKS CONTRACT 397/19
  7. - Email attachment name: IMG 0049.doc
  8.  
  9. - Email sender: bankalers@orbit-sc.com
  10. - Email subject: Payment from TATA STEEL LIMITED to CMM LOGISTICS .
  11. - Email attachment name: FT905209869273.doc
  12.  
  13. - SHA256 hash: 9e1ab492a5474c8ccdb155cd2b375a65d18dc0d85058d282a52502504a2cc01e
  14. - File size: 291,734 bytes
  15. - File type: RTF document
  16.  
  17. FOLLOW-UP EXE:
  18.  
  19. - SHA256 hash: 1ff7e9d153991071f612347c0f75ecc3b9aa2dd76038423e7195e175d8cc7d66
  20. - File size: 929,792 bytes
  21. - File type: Windows executable file
  22. - File location: C:\Users\[username]\AppData\Roaming\yahoo-419.exe
  23. - File location: C:\Users\[username]\AppData\Roaming\44631D\D1B132.exe
  24. - File location: C:\ProgramData\MDNSResponder.exe
  25. - File description: Lokibot malware
  26. - Any.Run analysis: https://app.any.run/tasks/75e7957c-5847-450e-b67e-d452cd4a33f4
  27.  
  28. INFECTION TRAFFIC:
  29.  
  30. - 185.70.107[.]218 port 80 - update.bracncet[.]net - GET /yahoo.419
  31. - 185.70.107[.]218 port 80 - shopper.bulutlogistic[.]com - POST /fre.php
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top