API tools faq
paste
Advertisement
Neonprimetime

2018-05-10 Lokibot payment advice email

Neonprimetime
May 10th, 2018
990
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.96 KB | None | 0 0
raw download clone embed print report
  1. #lokibot
  2. Found by @neonprimetime from 5/10/2018
  3. Subject: Fw:Payment advice REF
  4. link to: sendspace.com
  5. downloads: rfq.rar
  6. has in it: rfq.exe
  7. md5,CD16D5E52AAB08772BDEFAB2ED0A9E32
  8.  
  9. https://www.reverse.it/sample/79e3a771d4feeaae1b733e8aba87ccb06c66ec89fc45a34e20e24fcee1fbb81a?environmentId=100
  10.  
  11. --------------------------
  12. interesting network calls
  13. --------------------------
  14. POST /Panel/five/fre.php HTTP/1.0
  15. User-Agent: Mozilla/4.08 (Charon; Inferno)
  16. Host: felix.thawaslobem.com
  17. --------------------------
  18. interesting memory strings
  19. --------------------------
  20. 0x18e3c4 (21): felix.thawaslobem.com
  21. 0x415448 (68): %s\%s\User Data\Default\Login Data
  22. 0x415490 (64): %s\%s\User Data\Default\Web Data
  23. 0x4154d4 (30): %s%s\Login Data
  24. 0x4154f4 (46): %s%s\Default\Login Data
  25. 0x415524 (26): Comodo\Dragon
  26. 0x415540 (44): MapleStudio\ChromePlus
  27. 0x415570 (26): Google\Chrome
  28. 0x4155d4 (26): Titan Browser
  29. 0x4155fc (40): Yandex\YandexBrowser
  30. 0x415628 (40): Epic Privacy Browser
  31. 0x415654 (28): CocCoc\Browser
  32. 0x415684 (30): Comodo\Chromodo
  33. 0x4156b8 (26): Coowon\Coowon
  34. 0x4156d4 (30): Mustang Browser
  35. 0x4156f4 (36): 360Browser\Browser
  36. 0x41571c (40): CatalinaGroup\Citrio
  37. 0x415748 (34): Google\Chrome SxS
  38. 0x41578c (44): \Opera\Opera Next\data
  39. 0x4157bc (56): \Opera Software\Opera Stable
  40. 0x4157f8 (102): \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
  41. 0x415860 (104): \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
  42. 0x4158cc (24): vaultcli.dll
  43. 0x4158e8 (19): VaultEnumerateItems
  44. 0x4158fc (20): VaultEnumerateVaults
  45. 0x415920 (12): VaultGetItem
  46. 0x415930 (14): VaultOpenVault
  47. 0x415940 (15): VaultCloseVault
  48. 0x415950 (116): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  49. 0x4159f0 (92): Software\Microsoft\Internet Explorer\TypedURLs
  50. 0x415a58 (84): SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
  51. 0x415acc (17): encryptedUsername
  52. 0x415ae0 (17): encryptedPassword
  53. 0x415af4 (28): %s\logins.json
  54. 0x415b14 (22): %s\prefs.js
  55. 0x415b2c (34): %s\signons.sqlite
  56. 0x415b50 (22): signons.txt
  57. 0x415b68 (24): signons2.txt
  58. 0x415b84 (24): signons3.txt
  59. 0x415ba0 (62): %s\Mozilla\Firefox\profiles.ini
  60. 0x415be0 (60): %s\Mozilla\Firefox\Profiles\%s
  61. 0x415c20 (66): %s\Mozilla\SeaMonkey\profiles.ini
  62. 0x415c68 (64): %s\Mozilla\SeaMonkey\Profiles\%s
  63. 0x415cac (58): %s\Flock\Browser\profiles.ini
  64. 0x415ce8 (56): %s\Flock\Browser\Profiles\%s
  65. 0x415d24 (54): %s\Thunderbird\profiles.ini
  66. 0x415d5c (52): %s\Thunderbird\Profiles\%s
  67. 0x415d94 (48): %s\K-Meleon\profiles.ini
  68. 0x415dc8 (28): %s\K-Meleon\%s
  69. 0x415de8 (64): %s\Comodo\IceDragon\profiles.ini
  70. 0x415e30 (62): %s\Comodo\IceDragon\Profiles\%s
  71. 0x415e70 (92): %s\NETGATE Technologies\BlackHawk\profiles.ini
  72. 0x415ed0 (90): %s\NETGATE Technologies\BlackHawk\Profiles\%s
  73. 0x415f2c (46): %s\Postbox\profiles.ini
  74. 0x415f5c (44): %s\Postbox\Profiles\%s
  75. 0x415f90 (74): %s\8pecxstudios\Cyberfox\profiles.ini
  76. 0x415fe0 (72): %s\8pecxstudios\Cyberfox\Profiles\%s
  77. 0x416030 (94): %s\Moonchild Productions\Pale Moon\profiles.ini
  78. 0x416090 (92): %s\Moonchild Productions\Pale Moon\Profiles\%s
  79. 0x4160f0 (50): %s\FossaMail\profiles.ini
  80. 0x416124 (48): %s\FossaMail\Profiles\%s
  81. 0x416158 (150): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
  82. 0x416234 (22): %s\nss3.dll
  83. 0x416258 (12): NSS_Shutdown
  84. 0x416268 (23): PK11_GetInternalKeySlot
  85. 0x416280 (13): PK11_FreeSlot
  86. 0x416290 (17): PK11_Authenticate
  87. 0x4162a4 (15): PK11SDR_Decrypt
  88. 0x4162b4 (22): PK11_CheckUserPassword
  89. 0x4162cc (16): SECITEM_FreeItem
  90. 0x4162e0 (22): sqlite3.dll
  91. 0x4162f8 (28): mozsqlite3.dll
  92. 0x41632c (16): sqlite3_finalize
  93. 0x416340 (12): sqlite3_step
  94. 0x416350 (13): sqlite3_close
  95. 0x416360 (19): sqlite3_column_text
  96. 0x416374 (14): sqlite3_open16
  97. 0x416384 (18): sqlite3_prepare_v2
  98. 0x416398 (15): sqlite3_prepare
  99. 0x4163a8 (28): CurrentVersion
  100. 0x4163c8 (64): SOFTWARE\Mozilla\Mozilla Firefox
  101. 0x416414 (20): %s\%s\Main
  102. 0x41642c (34): Install Directory
  103. 0x416468 (72): SOFTWARE\Mozilla\Mozilla Thunderbird
  104. 0x4164b4 (52): SOFTWARE\Mozilla\FossaMail
  105. 0x4164ec (48): SOFTWARE\Postbox\Postbox
  106. 0x416520 (44): SOFTWARE\Mozilla\Flock
  107. 0x416550 (40): SOFTWARE\Flock\Flock
  108. 0x416588 (28): %ProgramW6432%
  109. 0x4165a8 (42): %s\NETGATE\Black Hawk
  110. 0x4165d4 (52): SOFTWARE\Mozilla\Pale Moon
  111. 0x416610 (140): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
  112. 0x4166a0 (34): SOFTWARE\K-Meleon
  113. 0x4166d8 (72): SOFTWARE\ComodoGroup\IceDragon\Setup
  114. 0x416738 (64): SOFTWARE\8pecxstudios\Cyberfox86
  115. 0x41677c (60): SOFTWARE\8pecxstudios\Cyberfox
  116. 0x4167bc (60): SOFTWARE\mozilla.org\SeaMonkey
  117. 0x4167fc (38): %s\Mozilla\Profiles
  118. 0x41682c (52): SOFTWARE\Mozilla\SeaMonkey
  119. 0x416864 (50): SOFTWARE\Mozilla\Waterfox
  120. 0x4168b0 (22): firefox.exe
  121. 0x4168d4 (24): kernel32.dll
  122. 0x4168f0 (11): CloseHandle
  123. 0x4168fc (11): CreateFileW
  124. 0x416914 (11): ExitProcess
  125. 0x416920 (22): Crypt32.dll
  126. 0x416938 (20): CryptStringToBinaryA
  127. 0x416950 (22): Shlwapi.dll
  128. 0x416970 (14): GetProcAddress
  129. 0x416980 (12): LoadLibraryW
  130. 0x4169b8 (39): X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb
  131. 0x4169e0 (42): form_password_control
  132. 0x416a0c (42): form_username_control
  133. 0x416a38 (108): Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
  134. 0x416aa8 (84): %s\QupZilla\profiles\default\browsedata.db
  135. 0x416b2c (20): InstallDir
  136. 0x416b48 (72): SOFTWARE\Apple Computer, Inc.\Safari
  137. 0x416b98 (88): %s\Apple Computer\Preferences\keychain.plist
  138. 0x416bf8 (78): %s\Apple Application Support\plutil.exe
  139. 0x416c54 (54): -convert xml1 -s -o %s "%s"
  140. 0x416c8c (56): %s\Data\AccCfg\Accounts.tdat
  141. 0x416cc8 (20): %s\Storage
  142. 0x416ce0 (24): Account.rec0
  143. 0x416cfc (30): %s\Foxmail\mail
  144. 0x416d28 (26): %SYSTEMDRIVE%
  145. 0x416d58 (24): EmailAddress
  146. 0x416d74 (20): Technology
  147. 0x416db0 (20): PopAccount
  148. 0x416dc8 (22): PopPassword
  149. 0x416de0 (20): SmtpServer
  150. 0x416e0c (22): SmtpAccount
  151. 0x416e24 (24): SmtpPassword
  152. 0x416e40 (62): Software\IncrediMail\Identities
  153. 0x416ea4 (20): POP3Server
  154. 0x416edc (36): SMTP Email Address
  155. 0x416f04 (22): SMTP Server
  156. 0x416f1c (28): SMTP User Name
  157. 0x416f50 (22): POP3 Server
  158. 0x416f68 (28): POP3 User Name
  159. 0x416f9c (36): NNTP Email Address
  160. 0x416fc4 (28): NNTP User Name
  161. 0x416fe4 (22): NNTP Server
  162. 0x416ffc (22): IMAP Server
  163. 0x417014 (28): IMAP User Name
  164. 0x41705c (30): HTTP Server URL
  165. 0x41707c (36): HTTPMail User Name
  166. 0x4170a4 (30): HTTPMail Server
  167. 0x417100 (28): POP3 Password2
  168. 0x417120 (28): IMAP Password2
  169. 0x417140 (28): NNTP Password2
  170. 0x417160 (36): HTTPMail Password2
  171. 0x417188 (28): SMTP Password2
  172. 0x4171a8 (26): POP3 Password
  173. 0x4171c4 (26): IMAP Password
  174. 0x4171e0 (26): NNTP Password
  175. 0x4171fc (26): HTTP Password
  176. 0x417218 (26): SMTP Password
  177. 0x417238 (178): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  178. 0x4172f0 (110): Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  179. 0x417360 (110): Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  180. 0x4173d0 (30): %s\32BitFtp.TMP
  181. 0x4173f0 (30): %s\32BitFtp.ini
  182. 0x417410 (54): %s\Estsoft\ALFTP\ESTdb2.dat
  183. 0x417448 (22): %s\site.xml
  184. 0x417460 (46): %s\BitKinex\bitkinex.ds
  185. 0x4174ac (30): LastUsedProfile
  186. 0x4174cc (56): Software\Bitvise\BvSshClient
  187. 0x417508 (40): %s\BlazeFtp\site.dat
  188. 0x417538 (72): Software\FlashPeak\BlazeFtp\Settings
  189. 0x417584 (24): LastPassword
  190. 0x4175b4 (22): LastAddress
  191. 0x417618 (88): Software\NCH Software\ClassicFTP\FTPAccounts
  192. 0x417694 (24): %s\Cyberduck
  193. 0x4176b0 (22): user.config
  194. 0x4176c8 (30): %s\iterate_GmbH
  195. 0x4176e8 (30): %s\EasyFTP\data
  196. 0x417730 (26): %s\ExpanDrive
  197. 0x41774c (26): *favorites.js
  198. 0x4177a8 (60): Software\Far\Plugins\FTP\Hosts
  199. 0x4177e8 (62): Software\Far2\Plugins\FTP\Hosts
  200. 0x417828 (148): %s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
  201. 0x4178c0 (52): %s\FileZilla\Filezilla.xml
  202. 0x4178f8 (52): %s\FileZilla\filezilla.xml
  203. 0x417930 (60): %s\FileZilla\recentservers.xml
  204. 0x417970 (56): %s\FileZilla\sitemanager.xml
  205. 0x4179ac (22): %s\FlashFXP
  206. 0x4179c4 (20): *Sites.dat
  207. 0x4179dc (20): *quick.dat
  208. 0x417a08 (22): FtpUserName
  209. 0x417a20 (22): FtpPassword
  210. 0x417a38 (24): _FtpPassword
  211. 0x417a58 (72): Software\NCH Software\Fling\Accounts
  212. 0x417aa8 (78): %s\FreshWebmaster\FreshFTP\FtpSites.SMF
  213. 0x417af8 (46): %s\FTPBox\profiles.conf
  214. 0x417b28 (64): %s\FTPGetter\Profile\servers.xml
  215. 0x417b6c (48): %s\FTPGetter\servers.xml
  216. 0x417ba0 (50): %s\FTPInfo\ServerList.xml
  217. 0x417bd4 (50): %s\FTPInfo\ServerList.cfg
  218. 0x417c08 (56): %s\FTP Navigator\Ftplist.txt
  219. 0x417c44 (40): %s\FTP Now\sites.xml
  220. 0x417c70 (48): %s\FTPShell\ftpshell.fsi
  221. 0x417ca8 (64): %s\.config\fullsync\profiles.xml
  222. 0x417cec (44): %s\DeluxeFTP\sites.xml
  223. 0x417d20 (66): %s\GoFTP\settings\Connections.txt
  224. 0x417d98 (36): %s\%s%i\encPwd.jsd
  225. 0x417dc0 (78): %s\%s%i\data\settings\sshProfiles-j.jsd
  226. 0x417e10 (78): %s\%s%i\data\settings\ftpProfiles-j.jsd
  227. 0x417e84 (60): Software\LinasFTP\Site Manager
  228. 0x417ec4 (52): %s\oZone3D\MyFTP\myftp.ini
  229. 0x417efc (46): %s\NetDrive\NDSites.ini
  230. 0x417f2c (46): %s\NetDrive2\drives.dat
  231. 0x417f60 (64): %s\Fastream NETFile\My FTP Links
  232. 0x417fa8 (66): %s\NexusFile\userdata\ftpsite.ini
  233. 0x417fec (48): %s\NexusFile\ftpsite.ini
  234. 0x418020 (64): %s\INSoftware\NovaFTP\NovaFTP.db
  235. 0x418068 (90): %s\Notepad++\plugins\config\NppFTP\NppFTP.xml
  236. 0x4180c8 (78): %s\Odin Secure FTP Expert\QFDefault.QFQ
  237. 0x418118 (76): %s\Odin Secure FTP Expert\SiteInfo.QFP
  238. 0x418168 (26): PublicKeyFile
  239. 0x418184 (24): TerminalType
  240. 0x4181a0 (20): PortNumber
  241. 0x4181b8 (64): Software\9bis.com\KiTTY\Sessions
  242. 0x418200 (70): Software\SimonTatham\PuTTY\Sessions
  243. 0x418264 (20): lsasrv.dll
  244. 0x41827c (22): LsaICryptUnprotectData
  245. 0x4182b0 (48): %s\Microsoft\Credentials
  246. 0x4182e4 (22): Config Path
  247. 0x4182fc (50): Software\VanDyke\SecureFX
  248. 0x418330 (22): %s\Sessions
  249. 0x418378 (30): %s\SftpNetDrive
  250. 0x4183a8 (84): %s\Sherrod Computers\sherrod FTP\favorites
  251. 0x418400 (52): #document.favoriteManager*
  252. 0x418438 (22): %s\SmartFTP
  253. 0x418460 (44): %s\Staff-FTP\sites.ini
  254. 0x418490 (44): %s\Steed\bookmarks.txt
  255. 0x4184c0 (26): %s\SuperPutty
  256. 0x418548 (20): {.:CRED:.}
  257. 0x418594 (24): %s\Syncovery
  258. 0x4185b0 (26): Syncovery.ini
  259. 0x4185cc (28): %s\wcx_ftp.ini
  260. 0x4185ec (44): %s\GHISLER\wcx_ftp.ini
  261. 0x41861c (20): FtpIniName
  262. 0x418638 (64): Software\Ghisler\Total Commander
  263. 0x41867c (42): %s\UltraFXP\sites.xml
  264. 0x4186a8 (60): %s\WinFtp Client\Favorites.dat
  265. 0x4186e8 (20): FSProtocol
  266. 0x418700 (46): Software\Martin Prikryl
  267. 0x418730 (40): %s\WS_FTP\WS_FTP.INI
  268. 0x41875c (26): %s\WS_FTP.INI
  269. 0x418778 (22): %s\Ipswitch
  270. 0x418790 (20): ws_ftp.ini
  271. 0x4187a8 (52): %s\NetSarang\Xftp\Sessions
  272. 0x4187f0 (33): MAC=%02X%02X%02XINSTALL=%08X%08Xk
  273. 0x418874 (24): %s\%s\%s.exe
  274. 0x4189b0 (164):
  275.  
  276. aPLib v1.01 - the smaller the better :)
  277. Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
  278.  
  279. More information: http://www.ibsensoftware.com/
  280.  
  281.  
  282. 0x418f92 (11): getaddrinfo
  283. 0x418fa0 (12): freeaddrinfo
  284. 0x418fae (10): WS2_32.dll
  285. 0x418fbc (12): GetLastError
  286. 0x418fcc (12): SetLastError
  287. 0x418ff4 (14): GetProcessHeap
  288. 0x419004 (12): KERNEL32.dll
  289. 0x419014 (12): CoInitialize
  290. 0x419024 (14): CoUninitialize
  291. 0x419036 (16): CoCreateInstance
  292. 0x419052 (12): OLEAUT32.dll
  293. 0x4a0074 (47): http://felix.thawaslobem.com/Panel/five/fre.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!