SHARE
TWEET

#lokibot_081018

VRad Oct 9th, 2018 (edited) 334 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #lokibot #RTF #OLE
  2.  
  3. https://pastebin.com/cZxQGbyq
  4. https://radetskiy.wordpress.com/?s=lokibot
  5.  
  6. shema
  7. --------------
  8. email > attach (RTF) > OLE > drop cmd & sct > execute payload
  9.  
  10. email_headers
  11. --------------
  12. n/a
  13.  
  14. files
  15. --------------
  16. SHA-256 d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d
  17. File name   Fax-Message-10-8-2018.doc
  18. File size   864.78 KB
  19.  
  20. SHA-256 5d5d95c8f6643226384ecf1d6a7d4a920c4620edcd63a92a5197a580d4d7f7d4
  21. File name   SopCast.exe
  22. File size   344 KB
  23.  
  24. activity
  25. **************
  26.  
  27. proc
  28. --------------
  29. C:\tmp\saver.exe
  30. C:\tmp\saver.exe
  31. C:\Users\operator\AppData\Roaming\39B01F
  32.  
  33. netwrk
  34. --------------
  35. 149.129.145.92  theonlygoodman.com  POST /eed/fre.php HTTP/1.0  Mozilla/4.08 (Charon; Inferno)     
  36.  
  37. comp
  38. --------------
  39. WINWORD.EXE 1536    TCP 10.0.2.15   49219   138.68.124.59   443 ESTABLISHED                                    
  40. WINWORD.EXE 1536    TCP 10.0.2.15   49220   172.217.20.206  443 ESTABLISHED
  41. saver.exe   420 TCP 10.0.2.15   49224   149.129.145.92  80  ESTABLISHED
  42.  
  43. persist
  44. --------------
  45. n/a
  46.  
  47. # # #
  48. https://www.virustotal.com/#/file/d7f719eb3cc4e5d108a07728160847dd89c84c2914ba27f11faa25039f265c0d/detection
  49. https://www.virustotal.com/#/file/5d5d95c8f6643226384ecf1d6a7d4a920c4620edcd63a92a5197a580d4d7f7d4/detection
  50. https://analyze.intezer.com/#/analyses/858a968d-20f4-403c-a95e-bcbe911d2d41
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top