Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Lokibot #EXE #RAR
- https://pastebin.com/701RuZee
- previous_contact:
- 10/01/19 https://pastebin.com/7zTpaww5
- 03/12/18 https://pastebin.com/Wg4bSRFp
- 01/12/18 https://pastebin.com/w5Gy50d5
- 01/12/18 https://pastebin.com/JHBUsJ7k
- 28/11/18 https://pastebin.com/W0e6iWnc
- 28/11/18 https://pastebin.com/4hf0UEqM
- 16/10/18 https://pastebin.com/LPqjHUkQ
- 08/10/18 https://pastebin.com/cZxQGbyq
- 27/09/18 https://pastebin.com/5bpk5kKs
- FAQ:
- https://radetskiy.wordpress.com/?s=lokibot
- attack_vector
- --------------
- email attach .RAR > bat > exe
- email_headers
- --------------
- Received: from app2.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140])
- by 0.0.0.0:25 (trex/5.7.12); Tue, 12 Feb 2019 05:42:04 -0500
- Received: from argoselectrica.com (localhost.localdomain [127.0.0.1])
- by app2.wa-webapps.iad3a (Postfix) with ESMTP id CFC56A004F; Tue, 12 Feb 2019 05:42:03 -0500 (EST)
- Received: by argoselectrica.mymailsrvr.com
- (Authenticated sender: cpineda@argoselectrica.com, from: elizabeth.sanzon@dhl.com)
- with HTTP; Tue, 12 Feb 2019 04:42:03 -0600 (CST)
- X-Auth-ID: cpineda@argoselectrica.com
- Date: Tue, 12 Feb 2019 04:42:03 -0600 (CST)
- Subject: Fw: Ваше повідомлення DHL Shipment: 6278216733 (комерційний рахунок-фактура, коносамент)
- From: Головний офіс DHL Express: Україна [elizabeth.sanzon@dhl.com]
- files
- --------------
- SHA-256 f1d0a19c71b7cfdcbe4a5b461608dae85d58ff82c505a9804cf1f4c2b98355c4
- File name Комерційний рахунок-фактура.PDF.rar
- Коносамент.PDF.rar
- Список упаковки.PDF.rar [RAR archive data, v1d, os: Win32]
- File size 245.51 KB
- SHA-256 98eb0692b796ac0d5dc763bb0af2ed4ed4a820d3d95f027f8c55cc5a32f090e1
- File name nedu crypted.bat [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 865.62 KB
- activity
- **************
- C2 185.125.230.120:80
- netwrk
- --------------
- 185.125.230.120 ccloneforty.com POST /droid/five/fre.php Mozilla/4.08 (Charon; Inferno)
- comp
- --------------
- nedu crypted.bat 2276 185.125.230.120 80 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\nedu crypted.bat
- C:\Windows\system32\svchost.exe -k DcomLaunch
- C:\Windows\system32\wbem\wmiprvse.exe -Embedding
- C:\Windows\System32\mobsync.exe -Embedding
- C:\Windows\system32\wbem\wmiprvse.exe -Embedding
- C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
- persist
- --------------
- n/a
- drop
- --------------
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- # # #
- https://www.virustotal.com/#/file/f1d0a19c71b7cfdcbe4a5b461608dae85d58ff82c505a9804cf1f4c2b98355c4/details
- https://www.virustotal.com/#/file/98eb0692b796ac0d5dc763bb0af2ed4ed4a820d3d95f027f8c55cc5a32f090e1/details
- https://analyze.intezer.com/#/analyses/fb7f876b-be0a-4f3d-a067-de2ada2f0aa8
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement