Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #lokibot #DOC #OLE
- https://pastebin.com/W0e6iWnc
- previous_contact:
- 28/11/18 https://pastebin.com/4hf0UEqM
- 16/10/18 https://pastebin.com/LPqjHUkQ
- 8/10/18 https://pastebin.com/cZxQGbyq
- 27/09/18 https://pastebin.com/5bpk5kKs
- FAQ:
- https://radetskiy.wordpress.com/?s=lokibot
- attack_vector
- --------------
- email > attach doc > ole > %tmp%\_output62EE4B0.exe
- email_headers
- --------------
- Received: from hunimo.com ([165.227.74.204])
- for <user0@victim1.com>; Wed, 28 Nov 2018 13:16:20 +0200 (EET)
- (envelope-from Kathylin@gmail.com)
- Received: from [102.165.37.52]
- by hunimo.com with esmtpa (Exim 4.84_2)
- (envelope-from <Kathylin@gmail.com>)
- Subject: Payment Advice
- To: Recipients <Kathylin@gmail.com>
- From: "Kathy Li" <Kathylin@gmail.com>
- Date: Wed, 28 Nov 2018 03:14:42 -0800
- files
- --------------
- SHA-256 448ff93c63401441c0a78b0ba8d61bcb89eafc5c000a5c13b8d943f1509170ad
- File name INV001.doc [Microsoft Word 2007+]
- File size 272.18 KB
- SHA-256 cbc2cab2c86ff5d0de8e8c11315571ebba0f21d328b3bc9d6921f2b88b969edf
- File name _output62EE4B0.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 1004 KB
- activity
- **************
- netwrk
- --------------
- 69.90.161.175 paylesssignandprinters{.} ca POST /lordboys/panel/fre.php Mozilla/4.08 (Charon; Inferno)
- comp
- --------------
- [System] 69.90.161.175 80 TIME_WAIT
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\tmp\_output62EE4B0.exe"
- C:\tmp\_output62EE4B0.exe"
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
- # # #
- doc https://www.virustotal.com/#/file/448ff93c63401441c0a78b0ba8d61bcb89eafc5c000a5c13b8d943f1509170ad/details
- exe https://www.virustotal.com/#/file/cbc2cab2c86ff5d0de8e8c11315571ebba0f21d328b3bc9d6921f2b88b969edf/details
- https://analyze.intezer.com/#/analyses/08be5edd-c813-453c-9667-7f64bdb95e2d
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement