API tools faq
paste
Advertisement
VRad

#lokibot_011218-2

VRad
Dec 3rd, 2018
746
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.50 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Lokibot #RTF #11882
  2.  
  3. https://pastebin.com/w5Gy50d5
  4.  
  5. previous_contact:
  6. 01/12/18 https://pastebin.com/JHBUsJ7k
  7. 28/11/18 https://pastebin.com/W0e6iWnc
  8. 28/11/18 https://pastebin.com/4hf0UEqM
  9. 16/10/18 https://pastebin.com/LPqjHUkQ
  10. 8/10/18 https://pastebin.com/cZxQGbyq
  11. 27/09/18 https://pastebin.com/5bpk5kKs
  12.  
  13. FAQ:
  14. https://radetskiy.wordpress.com/?s=lokibot
  15.  
  16. attack_vector
  17. --------------
  18. email attach doc(RTF) > 11882 > GET wwhmvf.jpg > exe
  19.  
  20. email_headers
  21. --------------
  22. Received: from undp.org ([37.49.225.39])
  23. by srv8.victim1.com (8.15.2/8.15.2)
  24. for <user0@org6.victim1.com>; Sat, 1 Dec 2018 17:12:40 +0200 (EET)
  25. (envelope-from dscme@undp.org)
  26. From: "Mrs. Bijal Bhavsar " <dscme@undp.org>
  27. To: user0@org6.victim1.com
  28. Subject: user0@org6.victim1.com Fw: Additional Invoices
  29. Date: 1 Dec 2018 07:12:20 -0800
  30.  
  31. files
  32. --------------
  33.  
  34. SHA-256 e7c7acb520b5b2524f6343157ea69d677fe0e403426d7df6cb4e691206c3c0b5
  35. File name Invoice No. 3491.doc [RTF]
  36. File size 22.23 KB
  37.  
  38. SHA-256 53613bc1c3c4084565deb2b5132a1b86258e9a7a90a1f76c9d032fb0e897dfd5
  39. File name wwhmvf.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
  40. File size 669.5 KB
  41.  
  42. activity
  43. **************
  44.  
  45. PL_GET: h11p:\ bit{.} ly/2FLQ8rT > https://a.doko.moe/wwhmvf.jpg
  46.  
  47. C2: h11p:\ redep{.} cf/kass1/fred.php
  48.  
  49. netwrk
  50. --------------
  51. 67.199.248.10 bit{.} ly GET /2FLQ8rT HTTP/1.1 Mozilla/4.0
  52.  
  53. 62.141.44.15 redep{.} cf POST /kass1/fred.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
  54.  
  55. comp
  56. --------------
  57. EQNEDT32.EXE 3192 67.199.248.10 80 ESTABLISHED
  58. EQNEDT32.EXE 3192 67.199.248.14 443 ESTABLISHED
  59. stickcy.exe 3716 62.141.44.15 80 ESTABLISHED
  60.  
  61. proc
  62. --------------
  63. C:\Users\operator\Desktop\wwhmvf.exe
  64. C:\Users\operator\AppData\Roaming\stick\stickcy.exe
  65. C:\Users\operator\AppData\Roaming\stick\stickcy.exe
  66.  
  67. persist
  68. --------------
  69. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 03.12.2018 18:14
  70. stick.vbs c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\stick.vbs 03.12.2018 18:14
  71.  
  72. drop
  73. --------------
  74. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  75. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  76. C:\Users\operator\AppData\Roaming\stick
  77.  
  78. # # #
  79. https://www.virustotal.com/#/file/e7c7acb520b5b2524f6343157ea69d677fe0e403426d7df6cb4e691206c3c0b5/details
  80. https://www.virustotal.com/#/file/53613bc1c3c4084565deb2b5132a1b86258e9a7a90a1f76c9d032fb0e897dfd5/details
  81. https://analyze.intezer.com/#/analyses/8f7730d8-6b1c-485a-bd72-e0ccf46a808c
  82.  
  83. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!