#lokibot_100119

1. #IOC #OptiData #VR #LokiBot #RTF #11882
2.  
3. https://pastebin.com/7zTpaww5
4.  
5. previous_contact:
6. 03/12/18 https://pastebin.com/Wg4bSRFp
7. 01/12/18 https://pastebin.com/w5Gy50d5
8. 01/12/18 https://pastebin.com/JHBUsJ7k
9. 28/11/18 https://pastebin.com/W0e6iWnc
10. 28/11/18 https://pastebin.com/4hf0UEqM
11. 16/10/18 https://pastebin.com/LPqjHUkQ
12. 08/10/18 https://pastebin.com/cZxQGbyq
13. 27/09/18 https://pastebin.com/5bpk5kKs
14.  
15. FAQ:
16. https://radetskiy.wordpress.com/?s=lokibot
17.  
18. attack_vector
19. --------------
20. email attach .doc(RTF) > 11882 > EQNEDT32 > GET .jpg > %temp%\1.exe
21.  
22. email_headers
23. --------------
24. Received: from gunimo.com ([209.97.148.252])
25. by srv8.victim1.com for <user0@org7.victim1.com>;
26. Received: from [103.99.1.147] (helo=User)
27. by gunimo.com (envelope-from <imports.falcos@gmail.com>)
28. From: "Riccardo Ardemani"<imports.falcos@gmail.com>
29. Subject: ORDER_15409795
30. Date: Thu, 10 Jan 2019 08:58:30 -0800
31.  
32. files
33. --------------
34. SHA-256 4b505ec152c9e305bb93157f9b1fc862be298256da4d3336949560b03029cf98
35. File name 15409795.doc [Rich Text Format data, version 1]
36. File size 328.94 KB
37.  
38. SHA-256 4d59a0029c26fcbbf873b511ee889925f05b43fbc614636b2b149db1cca4f065
39. File name 15409795.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
40. File size 642.5 KB
41.  
42. activity
43. **************
44.  
45. PL_SRC bit{.} ly/2LZmwGO >> cgi{.} cvpsas{.} com/15409795.jpg
46.  
47. C2 decvit{.} gq
48.  
49. netwrk
50. --------------
51. 67.199.248.10 bit{.} ly GET /2LZmwGO HTTP/1.1 Mozilla/4.0
52. 64.37.60.157 cgi{.} cvpsas{.} com GET /15409795.jpg HTTP/1.1 Mozilla/4.0
53. 45.62.211.135 decvit{.} gq POST /O/annd2/cat.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
54.  
55. comp
56. --------------
57. EQNEDT32.EXE 4040 67.199.248.10 80 ESTABLISHED
58. EQNEDT32.EXE 4040 64.37.60.157 80 ESTABLISHED
59. [System] 0 45.62.211.135 80 TIME_WAIT
60. poish.exe 2868 45.62.211.135 80 ESTABLISHED
61.  
62. proc
63. --------------
64. C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE -Embedding
65. C:\tmp\1.exe
66. C:\Users\operator\AppData\Roaming\bsig\poish.exe
67.  
68. persist
69. --------------
70. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 09.01.2019 9:47
71. bsig.vbs
72. "
73. Set KzvxfmWYRQlpyp = creatEOBject("wScRiPt.SHell")
74. KzVXfMwYrQLpyP.ruN """C:\Users\operator\AppData\Roaming\bsig\poish.exe"""
75. "
76. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\bsig.vbs 09.01.2019 9:47
77.  
78. drop
79. --------------
80. C:\tmp\1.exe
81. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
82. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
83. C:\Users\operator\AppData\Roaming\bsig
84. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsig.vbs
85.  
86. # # #
87. https://www.virustotal.com/#/file/4b505ec152c9e305bb93157f9b1fc862be298256da4d3336949560b03029cf98/details
88. https://www.virustotal.com/#/url/0452218c955dc2af4cc274c2d56a4c648acb30a8d22ca34b94811a07d051b1bb/details
89. https://www.virustotal.com/#/file/4d59a0029c26fcbbf873b511ee889925f05b43fbc614636b2b149db1cca4f065/details
90. https://analyze.intezer.com/#/analyses/a49e1a75-5318-4f23-8c86-d431d837257f
91.  
92. VR
93.  
94. @