SHARE
TWEET

#lokibot_100119

VRad Jan 10th, 2019 (edited) 263 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #LokiBot #RTF #11882
  2.  
  3. https://pastebin.com/7zTpaww5
  4.  
  5. previous_contact:
  6. 03/12/18    https://pastebin.com/Wg4bSRFp
  7. 01/12/18    https://pastebin.com/w5Gy50d5
  8. 01/12/18    https://pastebin.com/JHBUsJ7k
  9. 28/11/18    https://pastebin.com/W0e6iWnc
  10. 28/11/18    https://pastebin.com/4hf0UEqM
  11. 16/10/18    https://pastebin.com/LPqjHUkQ
  12. 08/10/18    https://pastebin.com/cZxQGbyq
  13. 27/09/18    https://pastebin.com/5bpk5kKs
  14.  
  15. FAQ:
  16. https://radetskiy.wordpress.com/?s=lokibot
  17.  
  18. attack_vector
  19. --------------
  20. email attach .doc(RTF) > 11882 > EQNEDT32 > GET .jpg > %temp%\1.exe
  21.  
  22. email_headers
  23. --------------
  24. Received: from gunimo.com ([209.97.148.252])
  25.     by srv8.victim1.com for <user0@org7.victim1.com>;
  26. Received: from [103.99.1.147] (helo=User)
  27.     by gunimo.com (envelope-from <imports.falcos@gmail.com>)
  28. From: "Riccardo Ardemani"<imports.falcos@gmail.com>
  29. Subject: ORDER_15409795
  30. Date: Thu, 10 Jan 2019 08:58:30 -0800
  31.  
  32. files
  33. --------------
  34. SHA-256 4b505ec152c9e305bb93157f9b1fc862be298256da4d3336949560b03029cf98
  35. File name   15409795.doc        [Rich Text Format data, version 1]
  36. File size   328.94 KB
  37.  
  38. SHA-256 4d59a0029c26fcbbf873b511ee889925f05b43fbc614636b2b149db1cca4f065
  39. File name   15409795.jpg        [PE32 executable (GUI) Intel 80386, for MS Windows]
  40. File size   642.5 KB
  41.  
  42. activity
  43. **************
  44.  
  45. PL_SRC  bit{.} ly/2LZmwGO >> cgi{.} cvpsas{.} com/15409795.jpg
  46.  
  47. C2  decvit{.} gq
  48.  
  49. netwrk
  50. --------------
  51. 67.199.248.10   bit{.} ly       GET /2LZmwGO        HTTP/1.1    Mozilla/4.0
  52. 64.37.60.157    cgi{.} cvpsas{.} com    GET /15409795.jpg   HTTP/1.1    Mozilla/4.0
  53. 45.62.211.135   decvit{.} gq        POST /O/annd2/cat.php   HTTP/1.0    Mozilla/4.08 (Charon; Inferno)
  54.  
  55. comp
  56. --------------
  57. EQNEDT32.EXE    4040    67.199.248.10   80  ESTABLISHED
  58. EQNEDT32.EXE    4040    64.37.60.157    80  ESTABLISHED
  59. [System]    0   45.62.211.135   80  TIME_WAIT
  60. poish.exe   2868    45.62.211.135   80  ESTABLISHED
  61.  
  62. proc
  63. --------------
  64. C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE -Embedding
  65. C:\tmp\1.exe
  66. C:\Users\operator\AppData\Roaming\bsig\poish.exe
  67.  
  68. persist
  69. --------------
  70. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup         09.01.2019 9:47
  71. bsig.vbs
  72.     "
  73.     Set KzvxfmWYRQlpyp = creatEOBject("wScRiPt.SHell")
  74.     KzVXfMwYrQLpyP.ruN """C:\Users\operator\AppData\Roaming\bsig\poish.exe"""
  75.     "      
  76. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\bsig.vbs    09.01.2019 9:47
  77.  
  78. drop
  79. --------------
  80. C:\tmp\1.exe
  81. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  82. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  83. C:\Users\operator\AppData\Roaming\bsig
  84. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsig.vbs
  85.  
  86. # # #
  87. https://www.virustotal.com/#/file/4b505ec152c9e305bb93157f9b1fc862be298256da4d3336949560b03029cf98/details
  88. https://www.virustotal.com/#/url/0452218c955dc2af4cc274c2d56a4c648acb30a8d22ca34b94811a07d051b1bb/details
  89. https://www.virustotal.com/#/file/4d59a0029c26fcbbf873b511ee889925f05b43fbc614636b2b149db1cca4f065/details
  90. https://analyze.intezer.com/#/analyses/a49e1a75-5318-4f23-8c86-d431d837257f
  91.  
  92. VR
  93.  
  94. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top