Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT ATTRIBUTION: LOKIBOT / AVE MARIA?
- ANALYST NOTES
- I thought that the combination of a cutt.ly forward to download an .exe is usually indicative of Ave Maria.
- However, the C2 traffic out to fre.php is clearly Lokibot.
- SUBJECTS OBSERVED
- Statement for month-end Jan 2021 T/T payment
- SENDERS OBSERVED
- adityanto_kurniawan@bankwoorisaudara.com
- MALDOC FILE HASHES
- Payment list.xlsx
- 010f2db66f5ffec899d9990e3316b37c
- McAfee=Y
- Statement.xlsx
- 010f2db66f5ffec899d9990e3316b37c
- McAfee=Y
- LOKIBOT PAYLOAD URLS
- https://cutt.ly/0kLb8eI
- http://kungsb2stdygotchtstf.dns.army/kung2doc/winlog.exe
- LOKIBOT PAYLOAD FILE HASHES
- winlog.exe
- 8cc9a32f8cf03de89a1a9235ae206cd0
- It's renamed and moved here:
- C:\users\analyst\AppData\Roaming\17E4D9
- 97071E.exe
- 8cc9a32f8cf03de89a1a9235ae206cd0
- LOKIBOT C2
- http://becharnise.ir/fb3/fre.php
- ADDITIONAL FILES
- I also found the following - I don't know if they're malicious:
- C:\users\analyst\AppData\Local\Temp
- 76v7xb.dll
- 43b77e01a8b6f3af6500fe732941f66d
- C:\users\analyst\AppData\Local\Temp\nsdEED6.tmp
- System.dll
- fccff8cb7a1067e23fd2e2b63971a8e1
- From Virustotal:
- "This is the System.dll file component of Nullsoft Scriptable Install System Portable v3.06.1 (nsis-3.06.1)
- Malware may had utilized it for a bad purpose."
- SUPPORTING EVIDENCE
- https://app.any.run/tasks/d071d34e-b9d2-440e-be70-7b24d6ae3bec/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement