SHARE
TWEET

#lokibot_031218

VRad Dec 3rd, 2018 (edited) 162 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Lokibot #ZIP
  2.  
  3. https://pastebin.com/Wg4bSRFp
  4.  
  5. previous_contact:
  6. 01/12/18    https://pastebin.com/w5Gy50d5
  7. 01/12/18    https://pastebin.com/JHBUsJ7k
  8. 28/11/18    https://pastebin.com/W0e6iWnc
  9. 28/11/18    https://pastebin.com/4hf0UEqM
  10. 16/10/18    https://pastebin.com/LPqjHUkQ
  11. 8/10/18     https://pastebin.com/cZxQGbyq
  12. 27/09/18    https://pastebin.com/5bpk5kKs
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/?s=lokibot
  16.  
  17. attack_vector
  18. --------------
  19. email attach pdf.arj(zip) > exe
  20.  
  21. email_headers
  22. --------------
  23. Received: from sw0.sweimpo.cf (sw0.sweimpo.cf [185.62.189.148])
  24.     for <user0@ou7.victim1.com>; Mon, 3 Dec 2018 12:31:37 +0200 (EET)
  25.     (envelope-from y-tsuchiya@kenefsa.co.jp)
  26. Subject: Confirm INV
  27. To: user0@ou7.victim1.com
  28. From: "Capt Yuki" <y-tsuchiya@kenefsa.co.jp>
  29. Date: Mon, 03 Dec 2018 02:31:20 -0800
  30.  
  31. files
  32. --------------
  33.  
  34. SHA-256 39b378f0f90a24e027e282ab24c8c313cd85b137cb922f1eeb3e26ffb9f9eef4
  35. File name   INV_992990018030-pdf.arj    [Zip archive data, at least v2.0 to extract]
  36. File size   421.96 KB
  37.  
  38. SHA-256 b37232f41cd805fc46f624b52f80dba06dfbeee03392ed048060988a1a6b7ff0
  39. File name   INV_992990018030-pdf.exe    [PE32 executable (GUI) Intel 80386, for MS Windows]
  40. File size   768.5 KB
  41.  
  42. activity
  43. **************
  44.  
  45. PL_GET:     attach
  46.  
  47. C2:     h11p:\ 2979{.} my{.} to/obinna/king.php
  48.  
  49. netwrk
  50. --------------
  51. 208.51.63.241   2979{.} my{.} to    POST /obinna/king.php HTTP/1.0  Mozilla/4.08 (Charon; Inferno)
  52.  
  53. comp
  54. --------------
  55. INV_992990018030-pdf.exe    3896    208.51.63.241   80  ESTABLISHED
  56.  
  57. proc
  58. --------------
  59. C:\Users\operator\Desktop\INV_992990018030-pdf.exe
  60.  
  61. persist
  62. --------------
  63. n/a
  64.  
  65. drop
  66. --------------
  67. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  68. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  69.  
  70. # # #
  71. https://www.virustotal.com/#/file/39b378f0f90a24e027e282ab24c8c313cd85b137cb922f1eeb3e26ffb9f9eef4/details
  72. https://www.virustotal.com/#/file/b37232f41cd805fc46f624b52f80dba06dfbeee03392ed048060988a1a6b7ff0/details
  73. https://analyze.intezer.com/#/analyses/14f40b36-e8eb-4201-972b-b3cf960991d5
  74.  
  75. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top