API tools faq
paste
Advertisement
VRad

#lokibot_120219

VRad
Feb 12th, 2019
624
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.86 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Lokibot #EXE #RAR
  2.  
  3. https://pastebin.com/701RuZee
  4.  
  5. previous_contact:
  6. 10/01/19 https://pastebin.com/7zTpaww5
  7. 03/12/18 https://pastebin.com/Wg4bSRFp
  8. 01/12/18 https://pastebin.com/w5Gy50d5
  9. 01/12/18 https://pastebin.com/JHBUsJ7k
  10. 28/11/18 https://pastebin.com/W0e6iWnc
  11. 28/11/18 https://pastebin.com/4hf0UEqM
  12. 16/10/18 https://pastebin.com/LPqjHUkQ
  13. 08/10/18 https://pastebin.com/cZxQGbyq
  14. 27/09/18 https://pastebin.com/5bpk5kKs
  15.  
  16. FAQ:
  17. https://radetskiy.wordpress.com/?s=lokibot
  18.  
  19. attack_vector
  20. --------------
  21. email attach .RAR > bat > exe
  22.  
  23. email_headers
  24. --------------
  25. Received: from app2.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140])
  26. by 0.0.0.0:25 (trex/5.7.12); Tue, 12 Feb 2019 05:42:04 -0500
  27. Received: from argoselectrica.com (localhost.localdomain [127.0.0.1])
  28. by app2.wa-webapps.iad3a (Postfix) with ESMTP id CFC56A004F; Tue, 12 Feb 2019 05:42:03 -0500 (EST)
  29. Received: by argoselectrica.mymailsrvr.com
  30. (Authenticated sender: cpineda@argoselectrica.com, from: elizabeth.sanzon@dhl.com)
  31. with HTTP; Tue, 12 Feb 2019 04:42:03 -0600 (CST)
  32. X-Auth-ID: cpineda@argoselectrica.com
  33. Date: Tue, 12 Feb 2019 04:42:03 -0600 (CST)
  34. Subject: Fw: Ваше повідомлення DHL Shipment: 6278216733 (комерційний рахунок-фактура, коносамент)
  35. From: Головний офіс DHL Express: Україна [elizabeth.sanzon@dhl.com]
  36.  
  37. files
  38. --------------
  39. SHA-256 f1d0a19c71b7cfdcbe4a5b461608dae85d58ff82c505a9804cf1f4c2b98355c4
  40. File name Комерційний рахунок-фактура.PDF.rar
  41. Коносамент.PDF.rar
  42. Список упаковки.PDF.rar [RAR archive data, v1d, os: Win32]
  43. File size 245.51 KB
  44.  
  45. SHA-256 98eb0692b796ac0d5dc763bb0af2ed4ed4a820d3d95f027f8c55cc5a32f090e1
  46. File name nedu crypted.bat [PE32 executable (GUI) Intel 80386, for MS Windows]
  47. File size 865.62 KB
  48.  
  49. activity
  50. **************
  51.  
  52. C2 185.125.230.120:80
  53.  
  54. netwrk
  55. --------------
  56. 185.125.230.120 ccloneforty.com POST /droid/five/fre.php Mozilla/4.08 (Charon; Inferno)
  57.  
  58. comp
  59. --------------
  60. nedu crypted.bat 2276 185.125.230.120 80 ESTABLISHED
  61.  
  62. proc
  63. --------------
  64. C:\Users\operator\Desktop\nedu crypted.bat
  65.  
  66. C:\Windows\system32\svchost.exe -k DcomLaunch
  67. C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  68. C:\Windows\System32\mobsync.exe -Embedding
  69. C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  70. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  71.  
  72. persist
  73. --------------
  74. n/a
  75.  
  76. drop
  77. --------------
  78. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  79.  
  80. # # #
  81. https://www.virustotal.com/#/file/f1d0a19c71b7cfdcbe4a5b461608dae85d58ff82c505a9804cf1f4c2b98355c4/details
  82. https://www.virustotal.com/#/file/98eb0692b796ac0d5dc763bb0af2ed4ed4a820d3d95f027f8c55cc5a32f090e1/details
  83. https://analyze.intezer.com/#/analyses/fb7f876b-be0a-4f3d-a067-de2ada2f0aa8
  84.  
  85. VR
  86.  
  87. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!