#lokibot_281118-2

#IOC #OptiData #VR #lokibot #DOC #OLE

https://pastebin.com/W0e6iWnc

previous_contact:
28/11/18	https://pastebin.com/4hf0UEqM
16/10/18	https://pastebin.com/LPqjHUkQ
8/10/18 	https://pastebin.com/cZxQGbyq
27/09/18	https://pastebin.com/5bpk5kKs

FAQ:
https://radetskiy.wordpress.com/?s=lokibot

attack_vector
--------------
email > attach doc > ole > %tmp%\_output62EE4B0.exe

email_headers
--------------
Received: from hunimo.com ([165.227.74.204])
	for <user0@victim1.com>; Wed, 28 Nov 2018 13:16:20 +0200 (EET)
	(envelope-from Kathylin@gmail.com)
Received: from [102.165.37.52]
	by hunimo.com with esmtpa (Exim 4.84_2)
	(envelope-from <Kathylin@gmail.com>)
Subject: Payment Advice
To: Recipients <Kathylin@gmail.com>
From: "Kathy Li" <Kathylin@gmail.com>
Date: Wed, 28 Nov 2018 03:14:42 -0800

files
--------------
SHA-256	448ff93c63401441c0a78b0ba8d61bcb89eafc5c000a5c13b8d943f1509170ad
File name	INV001.doc		[Microsoft Word 2007+]
File size	272.18 KB

SHA-256	cbc2cab2c86ff5d0de8e8c11315571ebba0f21d328b3bc9d6921f2b88b969edf
File name	_output62EE4B0.exe	[PE32 executable (GUI) Intel 80386, for MS Windows]
File size	1004 KB

activity
**************

netwrk
--------------
69.90.161.175	paylesssignandprinters{.} ca	POST /lordboys/panel/fre.php 	Mozilla/4.08 (Charon; Inferno)

comp
--------------
[System]	69.90.161.175	80	TIME_WAIT

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
"C:\tmp\_output62EE4B0.exe"
C:\tmp\_output62EE4B0.exe"

persist
--------------
n/a

drop
--------------
C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb

# # #
doc		https://www.virustotal.com/#/file/448ff93c63401441c0a78b0ba8d61bcb89eafc5c000a5c13b8d943f1509170ad/details

exe		https://www.virustotal.com/#/file/cbc2cab2c86ff5d0de8e8c11315571ebba0f21d328b3bc9d6921f2b88b969edf/details
		https://analyze.intezer.com/#/analyses/08be5edd-c813-453c-9667-7f64bdb95e2d

VR