Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Lokibot
- the c2 is dead..manual analysis reveals where it was located.
- "New order.exe"
- sha256 4d6b690c476dbe7929d0e9c630df8374186b1b9e357f50f04494db556fb857d8
- sha1 69c8bb61eac811e0c667b520c081096a19959930
- md5 0b09f5e0ad21b4e80cf4bebd33cb6412
- Dropped executable file
- sha256 C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
- DNS requests
- domain oja34user[.]com
- Unpacked: https://www.virustotal.com/#/file/342fa89846da6d06dae7668127dfbf4f89ff92112cd2391fec5fb15171ad566a/details
- strings:
- MAC=%02X%02X%02XINSTALL=%08X%08Xk
- http://oja34user.com/emma/Panel/five/fre.php
- #FormBook #ISRstealer
- #formbook
- "1p.exe"
- url http://sealtravel.co.ke/chrome/1p.exe
- sha256 85c093096a6fd8e8a5d9578a3251421d0defb94edade3e8aa75351a6a92ce33f
- sha1 488a1ec122268fcce26a7a39244611f76ce327c8
- md5 ef46006dec50bb2a265617e9c3054220
- DNS requests
- domain www.doctors-inc.net
- domain www.teralabo.com
- domain www.lxztrrwzx67-pdliebbcnx.tech
- domain www.administrator-on-call.com
- domain www.lc9665.com
- Connections
- ip 117.169.84.232
- ip 72.52.4.122
- ip 172.217.22.115
- HTTP/HTTPS requests
- url http://www.administrator-on-call.com/lo/?qr-=XY4vAE5JWOHo6cpyHYpWhbyZIrQ4h8LHqVczto7ni7rQwQKP1xl9p4sdEVcaR4wwwU+plA==&qNG=DXRDwDUh8FMTY
- url http://www.lc9665.com/lo/
- url http://www.lc9665.com/lo/?qr-=VQDxoS2ACcuYGErQ2Q+JGjzA2udBux6R+4EVqnfb/s6g3lTabJbkcQN8F+Q15js0zjxHFw==&qNG=DXRDwDUh8FMTY&sql=1
- url http://www.doctors-inc.net/lo/?qr-=LGvBXu2gCtUdgWsP+AUC6SZsApAxInbCgICDbjtK16opxMymUDfvgrT8z+HHXWWGt8v7hA==&qNG=DXRDwDUh8FMTY&sql=1
- url http://www.doctors-inc.net/lo/
- "3p.exe"
- url http://sealtravel.co.ke/chrome/3p.exe
- sha256 55a57cbd97abb3ea89e14fc42732c0396d508835460a27e150580d1b30b7c733
- sha1 ccaffa6e6b9c23f9cc7637db1b5392dfcd7f3d0c
- md5 416718cbe4198ac882b77b1eac504196
- DNS requests
- domain www.citadelip.com
- domain www.kloramde.com
- Connections
- ip 192.185.28.193
- ip 198.187.30.201
- HTTP/HTTPS requests
- url http://www.kloramde.com/lo/?EZQltXS=oPgwoGDpGMvVAiAvBZzSDKnFD14HxnmgmreuF77oWdRODJQePVuUG50y5dv1TAmkvj+FXQ==&DzyLb=VD8LEnU8_TnxKj
- url http://www.citadelip.com/lo/?EZQltXS=gKqTGck4BNLgYiaQ8+7gGlkIF/JLnCJfWxY/ZRmUg5Hq0cuP+3ZdvNIqJj7tDCek97QcOQ==&DzyLb=VD8LEnU8_TnxKj&sql=1
- url http://www.citadelip.com/lo/
- "5x.exe"
- url http://sealtravel.co.ke/chrome/5x.exe
- sha256 3b03539fc2341a619ce138b2c4977ec9054df52ac7cfdf329cd0e23ae7c0b352
- sha1 94f95cac28919f034067a21ff99f30b2710af34f
- md5 3c1633f386bfd6e29f3cfd9114fbe092
- DNS requests
- domain www.bestdehumidifierguide.com
- domain www.wizaallianz.com
- domain www.importanceeducated.com
- domain www.royaltyfreesubscriptions.com
- Connections
- ip 54.187.202.68
- ip 192.64.119.254
- ip 202.71.109.31
- ip 104.18.58.184
- HTTP/HTTPS requests
- url http://www.importanceeducated.com/xa/?Tx4hBt2=LdCX8+p2HXAi9LTIDwQ5MxBTgvdxPDUSuhG/gW+lIGgfEJUoQ6/C3ki3ac30BLTbvkpHgg==&6l=mnBXn
- url http://www.royaltyfreesubscriptions.com/xa/?Tx4hBt2=wn/Im6F2gEOoii2gObMST19ozpj2GJKPzODymswawf3y+Bo8pwFEinUwcW6OTQzImi6ofA==&6l=mnBXn&sql=1
- url http://www.wizaallianz.com/xa/
- url http://www.wizaallianz.com/xa/?Tx4hBt2=Izxx4HqOK6KUQq69aMgqM6mZIfb9U68v16yvcd4wE0Z4eObS2L+2lkstSPc/ZLQXGrJYmA==&6l=mnBXn&sql=1
- url http://www.bestdehumidifierguide.com/xa/
- url http://www.bestdehumidifierguide.com/xa/?Tx4hBt2=KG1Rc65MqDobK7srlTteBckNFi9wyvO2p4R3XZo0ThSMryCPF3wx9B1k4Qajoy9KYXiCyA==&6l=mnBXn&sql=1
- #ISRStealer
- "3a.exe"
- url http://sealtravel.co.ke/chrome/3a.exe
- sha256 7dfab1e26e2c172a4c76e710cf7e74cd676b4206e163c19de2ac1b7650637ee3
- sha1 95fe82f6955d80f887b3f222696c40edc8dce3bf
- md5 afe903482330df4f425a7e48a464821f
- DNS requests
- domain blacktravertine.com
- Connections
- ip 85.95.234.101
- HTTP/HTTPS requests
- url http://blacktravertine.com/wordpress/wp-includes/images/media/windows/chrome/index.php?action=add&username=&password=&app=&pcname=PC&sitename=
- unpacked: https://www.virustotal.com/#/file/6b138751318b0ab6815cde0fec060d9019e9e06751589107e10b7ec903d6f358/detection
- strings:
- EsISQ6XGhVsi6FyhW3iO3rIwoibWly
- HardCore Software For : Public
- ?action=add&username=
- frrn8--`j_airp_tcprglc,amk-umpbnpcqq-un+glajsbcq-gk_ecq-kcbg_-uglbmuq-afpmkc-glbcv,nfn
- Mail Password Recovery
- Mail PassView
- mailpv
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement