SHARE
TWEET

#lokibot_011218-2

VRad Dec 3rd, 2018 (edited) 148 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Lokibot #RTF #11882
  2.  
  3. https://pastebin.com/w5Gy50d5
  4.  
  5. previous_contact:
  6. 01/12/18    https://pastebin.com/JHBUsJ7k
  7. 28/11/18    https://pastebin.com/W0e6iWnc
  8. 28/11/18    https://pastebin.com/4hf0UEqM
  9. 16/10/18    https://pastebin.com/LPqjHUkQ
  10. 8/10/18     https://pastebin.com/cZxQGbyq
  11. 27/09/18    https://pastebin.com/5bpk5kKs
  12.  
  13. FAQ:
  14. https://radetskiy.wordpress.com/?s=lokibot
  15.  
  16. attack_vector
  17. --------------
  18. email attach doc(RTF) > 11882 > GET wwhmvf.jpg > exe
  19.  
  20. email_headers
  21. --------------
  22. Received: from undp.org ([37.49.225.39])
  23.     by srv8.victim1.com (8.15.2/8.15.2)
  24.     for <user0@org6.victim1.com>; Sat, 1 Dec 2018 17:12:40 +0200 (EET)
  25.     (envelope-from dscme@undp.org)
  26. From: "Mrs. Bijal Bhavsar  "  <dscme@undp.org>
  27. To: user0@org6.victim1.com
  28. Subject: user0@org6.victim1.com Fw: Additional Invoices
  29. Date: 1 Dec 2018 07:12:20 -0800
  30.  
  31. files
  32. --------------
  33.  
  34. SHA-256 e7c7acb520b5b2524f6343157ea69d677fe0e403426d7df6cb4e691206c3c0b5
  35. File name   Invoice No. 3491.doc        [RTF]
  36. File size   22.23 KB
  37.  
  38. SHA-256 53613bc1c3c4084565deb2b5132a1b86258e9a7a90a1f76c9d032fb0e897dfd5
  39. File name   wwhmvf.jpg          [PE32 executable (GUI) Intel 80386, for MS Windows]
  40. File size   669.5 KB
  41.  
  42. activity
  43. **************
  44.  
  45. PL_GET:     h11p:\ bit{.} ly/2FLQ8rT    > https://a.doko.moe/wwhmvf.jpg
  46.  
  47. C2:     h11p:\ redep{.} cf/kass1/fred.php
  48.  
  49. netwrk
  50. --------------
  51. 67.199.248.10   bit{.} ly   GET /2FLQ8rT HTTP/1.1   Mozilla/4.0
  52.  
  53. 62.141.44.15    redep{.} cf POST /kass1/fred.php HTTP/1.0   Mozilla/4.08 (Charon; Inferno)
  54.  
  55. comp
  56. --------------
  57. EQNEDT32.EXE    3192    67.199.248.10   80  ESTABLISHED
  58. EQNEDT32.EXE    3192    67.199.248.14   443 ESTABLISHED
  59. stickcy.exe 3716    62.141.44.15    80  ESTABLISHED
  60.  
  61. proc
  62. --------------
  63. C:\Users\operator\Desktop\wwhmvf.exe
  64. C:\Users\operator\AppData\Roaming\stick\stickcy.exe
  65. C:\Users\operator\AppData\Roaming\stick\stickcy.exe
  66.  
  67. persist
  68. --------------
  69. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup             03.12.2018 18:14   
  70. stick.vbs           c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\stick.vbs   03.12.2018 18:14
  71.  
  72. drop
  73. --------------
  74. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
  75. C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
  76. C:\Users\operator\AppData\Roaming\stick
  77.  
  78. # # #
  79. https://www.virustotal.com/#/file/e7c7acb520b5b2524f6343157ea69d677fe0e403426d7df6cb4e691206c3c0b5/details
  80. https://www.virustotal.com/#/file/53613bc1c3c4084565deb2b5132a1b86258e9a7a90a1f76c9d032fb0e897dfd5/details
  81. https://analyze.intezer.com/#/analyses/8f7730d8-6b1c-485a-bd72-e0ccf46a808c
  82.  
  83. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top