Malspam Delivers Loki-Bot
Tags
| country: | Russia |
| attack-pattern: | Data Credentials - T1589.001 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | a3c3bcc8-f2f6-4db9-83f2-f75879d6fd82 |
| Fingerprint | 27c589b71faac510 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 1, 2018, 10:51 a.m. |
| Added to db | Oct. 22, 2023, 10:08 p.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | Malspam Delivers Loki-Bot |
| Title | Malspam Delivers Loki-Bot |
| Detected Hints/Tags/Attributes | 43/2/68 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 156 | ✔ | Malware breakdown | https://malwarebreakdown.com/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 375 | cve-2017-11882 |
|
| Details | Domain | 9 | malwarebreakdown.com |
|
| Details | Domain | 1 | office.erlivia.ltd |
|
| Details | Domain | 47 | www.malware-traffic-analysis.net |
|
| Details | Domain | 911 | any.run |
|
| Details | Domain | 5 | ckav.ru |
|
| Details | Domain | 7 | fuckav.ru |
|
| Details | Domain | 1 | erlivia.ltd |
|
| Details | Domain | 1 | anoti.erlivia.ltd |
|
| Details | Domain | 1 | anotis.erlivia.ltd |
|
| Details | Domain | 1 | davuchi.erlivia.ltd |
|
| Details | Domain | 1 | lankys.erlivia.ltd |
|
| Details | Domain | 1 | mail.erlivia.ltd |
|
| Details | Domain | 1 | max.erlivia.ltd |
|
| Details | Domain | 1 | maxi.erlivia.ltd |
|
| Details | Domain | 1 | microsoft.erlivia.ltd |
|
| Details | Domain | 1 | rov.erlivia.ltd |
|
| Details | Domain | 1 | windows.erlivia.ltd |
|
| Details | Domain | 268 | www.virustotal.com |
|
| Details | Domain | 1 | cliftonltd.ru |
|
| Details | Domain | 425 | isc.sans.edu |
|
| Details | Domain | 1 | r3mrum.wordpress.com |
|
| Details | File | 1 | po2018-048.doc |
|
| Details | File | 1 | 2018-049.doc |
|
| Details | File | 57 | eqnedt32.exe |
|
| Details | File | 1 | sharedequationeqnedt32.exe |
|
| Details | File | 2 | realtekhd.exe |
|
| Details | File | 1 | menuprogramsstartupdropboxinstaller.exe |
|
| Details | File | 1 | dropboxinstaller.exe |
|
| Details | File | 1 | fbbbb63c85.exe |
|
| Details | File | 816 | index.html |
|
| Details | File | 82 | fre.php |
|
| Details | md5 | 1 | 6CD99ACE2FBBB63C852955B3C167AC07 |
|
| Details | sha256 | 1 | 4bf2658e0f69865c977cabd24b8dccca38ffc09a17b3367e5f702d2993cf00f7 |
|
| Details | sha256 | 1 | f9b5535bffd5c0525cb1e59bf79f06d925448b12f106fe1e972473fab4f082fa |
|
| Details | sha256 | 1 | ed5550d3047903d3e09363f90b6d49f519d1484af4e528fd95f1e5f3e5a008b2 |
|
| Details | IPv4 | 1 | 216.200.116.109 |
|
| Details | IPv4 | 1 | 89.34.237.212 |
|
| Details | IPv4 | 1 | 89.46.222.212 |
|
| Details | IPv4 | 1 | 89.46.222.203 |
|
| Details | IPv4 | 1 | 149.56.100.113 |
|
| Details | IPv4 | 1 | 89.46.222.222 |
|
| Details | IPv4 | 1 | 89.46.223.221 |
|
| Details | IPv4 | 1 | 185.15.245.88 |
|
| Details | IPv4 | 1 | 185.15.244.0 |
|
| Details | IPv4 | 1 | 89.46.223.0 |
|
| Details | IPv4 | 1 | 89.46.222.0 |
|
| Details | IPv4 | 1 | 89.46.222.187 |
|
| Details | IPv4 | 1 | 192.64.119.173 |
|
| Details | IPv4 | 2 | 192.64.119.0 |
|
| Details | Url | 1 | https://www.malware-traffic-analysis.net/2018/03/09/index.html |
|
| Details | Url | 1 | http://office.erlivia.ltd/white.123 |
|
| Details | Url | 1 | http://office.erlivia.ltd/black.123 |
|
| Details | Url | 1 | http://office.erlivia.ltd/000.123 |
|
| Details | Url | 1 | https://www.proofpoint.com/us/threat-insight/post/tax-themed-email-campaigns-steal-credentials-spread-banking-trojans-rats-ransomware |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/185.15.245.88/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/89.46.223.221/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/89.46.222.222/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/89.46.222.203/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/89.46.222.212/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/89.46.222.187/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/ip-address/192.64.119.173/information |
|
| Details | Url | 1 | https://www.virustotal.com/en/domain/cliftonltd.ru/information |
|
| Details | Url | 1 | https://isc.sans.edu/forums/diary/3 |
|
| Details | Url | 1 | http://newsroom.trendmicro.com/blog/security-intelligence/cve-2017-11882-exploited-deliver-cracked-version-loki-infostealer |
|
| Details | Url | 2 | https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850 |
|
| Details | Url | 1 | https://r3mrum.wordpress.com/2017/07/13/loki-bot-inside-out |
|
| Details | Windows Registry Key | 1 | HKLMSOFTWAREMicrosoftCryptographyMachineGuid |