Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #LokiBot #RTF #11882
- https://pastebin.com/7zTpaww5
- previous_contact:
- 03/12/18 https://pastebin.com/Wg4bSRFp
- 01/12/18 https://pastebin.com/w5Gy50d5
- 01/12/18 https://pastebin.com/JHBUsJ7k
- 28/11/18 https://pastebin.com/W0e6iWnc
- 28/11/18 https://pastebin.com/4hf0UEqM
- 16/10/18 https://pastebin.com/LPqjHUkQ
- 08/10/18 https://pastebin.com/cZxQGbyq
- 27/09/18 https://pastebin.com/5bpk5kKs
- FAQ:
- https://radetskiy.wordpress.com/?s=lokibot
- attack_vector
- --------------
- email attach .doc(RTF) > 11882 > EQNEDT32 > GET .jpg > %temp%\1.exe
- email_headers
- --------------
- Received: from gunimo.com ([209.97.148.252])
- by srv8.victim1.com for <user0@org7.victim1.com>;
- Received: from [103.99.1.147] (helo=User)
- by gunimo.com (envelope-from <imports.falcos@gmail.com>)
- From: "Riccardo Ardemani"<imports.falcos@gmail.com>
- Subject: ORDER_15409795
- Date: Thu, 10 Jan 2019 08:58:30 -0800
- files
- --------------
- SHA-256 4b505ec152c9e305bb93157f9b1fc862be298256da4d3336949560b03029cf98
- File name 15409795.doc [Rich Text Format data, version 1]
- File size 328.94 KB
- SHA-256 4d59a0029c26fcbbf873b511ee889925f05b43fbc614636b2b149db1cca4f065
- File name 15409795.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 642.5 KB
- activity
- **************
- PL_SRC bit{.} ly/2LZmwGO >> cgi{.} cvpsas{.} com/15409795.jpg
- C2 decvit{.} gq
- netwrk
- --------------
- 67.199.248.10 bit{.} ly GET /2LZmwGO HTTP/1.1 Mozilla/4.0
- 64.37.60.157 cgi{.} cvpsas{.} com GET /15409795.jpg HTTP/1.1 Mozilla/4.0
- 45.62.211.135 decvit{.} gq POST /O/annd2/cat.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
- comp
- --------------
- EQNEDT32.EXE 4040 67.199.248.10 80 ESTABLISHED
- EQNEDT32.EXE 4040 64.37.60.157 80 ESTABLISHED
- [System] 0 45.62.211.135 80 TIME_WAIT
- poish.exe 2868 45.62.211.135 80 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE -Embedding
- C:\tmp\1.exe
- C:\Users\operator\AppData\Roaming\bsig\poish.exe
- persist
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 09.01.2019 9:47
- bsig.vbs
- "
- Set KzvxfmWYRQlpyp = creatEOBject("wScRiPt.SHell")
- KzVXfMwYrQLpyP.ruN """C:\Users\operator\AppData\Roaming\bsig\poish.exe"""
- "
- c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\bsig.vbs 09.01.2019 9:47
- drop
- --------------
- C:\tmp\1.exe
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
- C:\Users\operator\AppData\Roaming\bsig
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsig.vbs
- # # #
- https://www.virustotal.com/#/file/4b505ec152c9e305bb93157f9b1fc862be298256da4d3336949560b03029cf98/details
- https://www.virustotal.com/#/url/0452218c955dc2af4cc274c2d56a4c648acb30a8d22ca34b94811a07d051b1bb/details
- https://www.virustotal.com/#/file/4d59a0029c26fcbbf873b511ee889925f05b43fbc614636b2b149db1cca4f065/details
- https://analyze.intezer.com/#/analyses/a49e1a75-5318-4f23-8c86-d431d837257f
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement