#lokibot_081018

1. #IOC #OptiData #VR #lokibot #RTF #OLE
2.  
3. https://pastebin.com/cZxQGbyq
4. https://radetskiy.wordpress.com/?s=lokibot
5.  
6. shema
7. --------------
8. email > attach (RTF) > OLE > drop cmd & sct > execute payload
9.  
10. email_headers
11. --------------
12. n/a
13.  
14. files
15. --------------
16. SHA-256 d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d
17. File name Fax-Message-10-8-2018.doc
18. File size 864.78 KB
19.  
20. SHA-256 5d5d95c8f6643226384ecf1d6a7d4a920c4620edcd63a92a5197a580d4d7f7d4
21. File name SopCast.exe
22. File size 344 KB
23.  
24. activity
25. **************
26.  
27. proc
28. --------------
29. C:\tmp\saver.exe
30. C:\tmp\saver.exe
31. C:\Users\operator\AppData\Roaming\39B01F
32.  
33. netwrk
34. --------------
35. 149.129.145.92 theonlygoodman.com POST /eed/fre.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
36.  
37. comp
38. --------------
39. WINWORD.EXE 1536 TCP 10.0.2.15 49219 138.68.124.59 443 ESTABLISHED
40. WINWORD.EXE 1536 TCP 10.0.2.15 49220 172.217.20.206 443 ESTABLISHED
41. saver.exe 420 TCP 10.0.2.15 49224 149.129.145.92 80 ESTABLISHED
42.  
43. persist
44. --------------
45. n/a
46.  
47. # # #
48. https://www.virustotal.com/#/file/d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d/detection
49. https://www.virustotal.com/#/file/5d5d95c8f6643226384ecf1d6a7d4a920c4620edcd63a92a5197a580d4d7f7d4/detection
50. https://analyze.intezer.com/#/analyses/858a968d-20f4-403c-a95e-bcbe911d2d41