Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Lokibot #RTF #11882
- https://pastebin.com/w5Gy50d5
- previous_contact:
- 01/12/18 https://pastebin.com/JHBUsJ7k
- 28/11/18 https://pastebin.com/W0e6iWnc
- 28/11/18 https://pastebin.com/4hf0UEqM
- 16/10/18 https://pastebin.com/LPqjHUkQ
- 8/10/18 https://pastebin.com/cZxQGbyq
- 27/09/18 https://pastebin.com/5bpk5kKs
- FAQ:
- https://radetskiy.wordpress.com/?s=lokibot
- attack_vector
- --------------
- email attach doc(RTF) > 11882 > GET wwhmvf.jpg > exe
- email_headers
- --------------
- Received: from undp.org ([37.49.225.39])
- by srv8.victim1.com (8.15.2/8.15.2)
- for <user0@org6.victim1.com>; Sat, 1 Dec 2018 17:12:40 +0200 (EET)
- (envelope-from dscme@undp.org)
- From: "Mrs. Bijal Bhavsar " <dscme@undp.org>
- To: user0@org6.victim1.com
- Subject: user0@org6.victim1.com Fw: Additional Invoices
- Date: 1 Dec 2018 07:12:20 -0800
- files
- --------------
- SHA-256 e7c7acb520b5b2524f6343157ea69d677fe0e403426d7df6cb4e691206c3c0b5
- File name Invoice No. 3491.doc [RTF]
- File size 22.23 KB
- SHA-256 53613bc1c3c4084565deb2b5132a1b86258e9a7a90a1f76c9d032fb0e897dfd5
- File name wwhmvf.jpg [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 669.5 KB
- activity
- **************
- PL_GET: h11p:\ bit{.} ly/2FLQ8rT > https://a.doko.moe/wwhmvf.jpg
- C2: h11p:\ redep{.} cf/kass1/fred.php
- netwrk
- --------------
- 67.199.248.10 bit{.} ly GET /2FLQ8rT HTTP/1.1 Mozilla/4.0
- 62.141.44.15 redep{.} cf POST /kass1/fred.php HTTP/1.0 Mozilla/4.08 (Charon; Inferno)
- comp
- --------------
- EQNEDT32.EXE 3192 67.199.248.10 80 ESTABLISHED
- EQNEDT32.EXE 3192 67.199.248.14 443 ESTABLISHED
- stickcy.exe 3716 62.141.44.15 80 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\wwhmvf.exe
- C:\Users\operator\AppData\Roaming\stick\stickcy.exe
- C:\Users\operator\AppData\Roaming\stick\stickcy.exe
- persist
- --------------
- C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 03.12.2018 18:14
- stick.vbs c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\stick.vbs 03.12.2018 18:14
- drop
- --------------
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.exe
- C:\Users\operator\AppData\Roaming\39B01F\FA74A3.hdb
- C:\Users\operator\AppData\Roaming\stick
- # # #
- https://www.virustotal.com/#/file/e7c7acb520b5b2524f6343157ea69d677fe0e403426d7df6cb4e691206c3c0b5/details
- https://www.virustotal.com/#/file/53613bc1c3c4084565deb2b5132a1b86258e9a7a90a1f76c9d032fb0e897dfd5/details
- https://analyze.intezer.com/#/analyses/8f7730d8-6b1c-485a-bd72-e0ccf46a808c
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement