#lokibot_011218

1. #IOC #OptiData #VR #Lokibot #ISO
2.  
3. https://pastebin.com/JHBUsJ7k
4.  
5. previous_contact:
6. 28/11/18 https://pastebin.com/W0e6iWnc
7. 28/11/18 https://pastebin.com/4hf0UEqM
8. 16/10/18 https://pastebin.com/LPqjHUkQ
9. 8/10/18 https://pastebin.com/cZxQGbyq
10. 27/09/18 https://pastebin.com/5bpk5kKs
11.  
12. FAQ:
13. https://radetskiy.wordpress.com/?s=lokibot
14.  
15. attack_vector
16. --------------
17.  
18. email_headers
19. --------------
20. Received: from novainstrument.com (hosted-by.blazingfast.io [185.62.190.204] (may be forged))
21. by srv8.victim1.com (8.15.2/8.15.2)
22. for <user0@org6.victim1.com>; Sat, 1 Dec 2018 07:24:44 +0200 (EET)
23. (envelope-from jieunne@novainstrument.com)
24. From: Jieun <jieunne@novainstrument.com>
25. To: user0@org6.victim1.com
26. Subject: FW: Purchase Order - PO. 4029530
27. Date: 30 Nov 2018 21:23:24 -0800
28.  
29. files
30. --------------
31.  
32. SHA-256 30d74d66462f5d93eef04b079755574593800e55feeda1682259363e8cb59839
33. File name p.o.iso [ISO 9660 CD-ROM filesystem data 'p.o']
34. File size 380 KB
35.  
36. SHA-256 42de623286146b4f6d26dfb73e17b6e95d76509024f1f2b5c1bee734cc22116b
37. File name p.o.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
38. File size 320 KB
39.  
40. activity
41. **************
42.  
43. PL_GET: attach
44.  
45. C2: n/a
46.  
47. netwrk
48. --------------
49. n/a
50.  
51. comp
52. --------------
53. n/a
54.  
55. proc
56. --------------
57. C:\Users\operator\Desktop\p.o.exe
58. C:\Users\operator\Desktop\p.o.exe
59.  
60. persist
61. --------------
62. n/a
63.  
64. drop
65. --------------
66. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
67.  
68. # # #
69. https://www.virustotal.com/#/file/30d74d66462f5d93eef04b079755574593800e55feeda1682259363e8cb59839/details
70. https://www.virustotal.com/#/file/42de623286146b4f6d26dfb73e17b6e95d76509024f1f2b5c1bee734cc22116b/details
71. https://analyze.intezer.com/#/analyses/bfe5b9ba-dbbb-486a-9385-645b72f950c4
72.  
73. VR