Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #lokibot #RTF #OLE
- https://pastebin.com/cZxQGbyq
- https://radetskiy.wordpress.com/?s=lokibot
- shema
- --------------
- email > attach (RTF) > OLE > drop cmd & sct > execute payload
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d
- File name Fax-Message-10-8-2018.doc
- File size 864.78 KB
- SHA-256 5d5d95c8f6643226384ecf1d6a7d4a920c4620edcd63a92a5197a580d4d7f7d4
- File name SopCast.exe
- File size 344 KB
- activity
- **************
- proc
- --------------
- C:\tmp\saver.exe
- C:\tmp\saver.exe
- C:\Users\operator\AppData\Roaming\39B01F
- netwrk
- --------------
- 149.129.145.92 theonlygoodman.com POST /eed/fre.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
- comp
- --------------
- WINWORD.EXE 1536 TCP 10.0.2.15 49219 138.68.124.59 443 ESTABLISHED
- WINWORD.EXE 1536 TCP 10.0.2.15 49220 172.217.20.206 443 ESTABLISHED
- saver.exe 420 TCP 10.0.2.15 49224 149.129.145.92 80 ESTABLISHED
- persist
- --------------
- n/a
- # # #
- https://www.virustotal.com/#/file/d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d/detection
- https://www.virustotal.com/#/file/5d5d95c8f6643226384ecf1d6a7d4a920c4620edcd63a92a5197a580d4d7f7d4/detection
- https://analyze.intezer.com/#/analyses/858a968d-20f4-403c-a95e-bcbe911d2d41
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement