API tools faq
paste
Advertisement
VRad

#lokibot_031218

VRad
Dec 3rd, 2018
817
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.01 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Lokibot #ZIP
  2.  
  3. https://pastebin.com/Wg4bSRFp
  4.  
  5. previous_contact:
  6. 01/12/18 https://pastebin.com/w5Gy50d5
  7. 01/12/18 https://pastebin.com/JHBUsJ7k
  8. 28/11/18 https://pastebin.com/W0e6iWnc
  9. 28/11/18 https://pastebin.com/4hf0UEqM
  10. 16/10/18 https://pastebin.com/LPqjHUkQ
  11. 8/10/18 https://pastebin.com/cZxQGbyq
  12. 27/09/18 https://pastebin.com/5bpk5kKs
  13.  
  14. FAQ:
  15. https://radetskiy.wordpress.com/?s=lokibot
  16.  
  17. attack_vector
  18. --------------
  19. email attach pdf.arj(zip) > exe
  20.  
  21. email_headers
  22. --------------
  23. Received: from sw0.sweimpo.cf (sw0.sweimpo.cf [185.62.189.148])
  24. for <user0@ou7.victim1.com>; Mon, 3 Dec 2018 12:31:37 +0200 (EET)
  25. (envelope-from y-tsuchiya@kenefsa.co.jp)
  26. Subject: Confirm INV
  27. To: user0@ou7.victim1.com
  28. From: "Capt Yuki" <y-tsuchiya@kenefsa.co.jp>
  29. Date: Mon, 03 Dec 2018 02:31:20 -0800
  30.  
  31. files
  32. --------------
  33.  
  34. SHA-256 39b378f0f90a24e027e282ab24c8c313cd85b137cb922f1eeb3e26ffb9f9eef4
  35. File name INV_992990018030-pdf.arj [Zip archive data, at least v2.0 to extract]
  36. File size 421.96 KB
  37.  
  38. SHA-256 b37232f41cd805fc46f624b52f80dba06dfbeee03392ed048060988a1a6b7ff0
  39. File name INV_992990018030-pdf.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
  40. File size 768.5 KB
  41.  
  42. activity
  43. **************
  44.  
  45. PL_GET: attach
  46.  
  47. C2: h11p:\ 2979{.} my{.} to/obinna/king.php
  48.  
  49. netwrk
  50. --------------
  51. 208.51.63.241 2979{.} my{.} to POST /obinna/king.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
  52.  
  53. comp
  54. --------------
  55. INV_992990018030-pdf.exe 3896 208.51.63.241 80 ESTABLISHED
  56.  
  57. proc
  58. --------------
  59. C:\Users\operator\Desktop\INV_992990018030-pdf.exe
  60.  
  61. persist
  62. --------------
  63. n/a
  64.  
  65. drop
  66. --------------
  67. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  68. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  69.  
  70. # # #
  71. https://www.virustotal.com/#/file/39b378f0f90a24e027e282ab24c8c313cd85b137cb922f1eeb3e26ffb9f9eef4/details
  72. https://www.virustotal.com/#/file/b37232f41cd805fc46f624b52f80dba06dfbeee03392ed048060988a1a6b7ff0/details
  73. https://analyze.intezer.com/#/analyses/14f40b36-e8eb-4201-972b-b3cf960991d5
  74.  
  75. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!