Sender: [email protected]
Subject: RE: Payment IN-2716 – MPA-PI17045 – USD
Attachment(s): Payment_001.doc and Payment_002.doc
Both Payment_001.doc and Payment_002.doc are malicious RTF documents triggering detections for CVE-2017-11882.
Payment_001.doc:
Traffic:


Pony Panel:
Panel hxxp://paclficinsight.com GET /new1/pony/china.jpgIOCs
Network:
- 94.102.1.194 – hxxps://agahguner.com GET /44.msi
- 94.102.60.3 – hxxp://paclficinsight.com POST /new1/pony/gate.php
File System:

Hashes and Reports:
SHA256: 788884332fc1c199107310ff5b6af4d8605ff3bdd5e67f6a4bc5db55a03321b1
File name: Payment_001.doc
Sandbox: Hybrid-Analysis and Any.Run
SHA256: c9f16df9b26cafefc4ca3fc58cbcee621b7ffe49a4e702b0e73f5604f27aec87
File name: 44.msi
Sandbox: Hybrid-Analysis
SHA256: 8e1c9cf4466e9cd09d19d491855f1285f7bf711c452afe1f674ef0d1a9e056dd
File name: MSI50AC.tmp.exe
Sandbox: Hybrid-Analysis
Payment_002.doc:
Traffic:


Loki-Bot Panel:
IOCs
Network:
- 94.102.1.194 – hxxps://agahguner.com GET /55.msi
- 94.102.60.3 – hxxp://paclficinsight.com POST /new/Panel/five/fre.php
File System:
Registry:
Used for persistenceHashes and Reports:
SHA256: 2fdc22d8926db1b04dc3d62ff6da72236cb1c052b23553b644c7f18ea8496d8a
File name: Payment_002.doc
Sandbox: Hybrid-Analysis and Any.Run
SHA256: 6bfa353f905c0fc5ded87e7f35dc939e7b757ea3f2f8372f81f0ac40edadd619
File name: 55.msi
Sandbox: Hybrid-Analysis
SHA256: 3f5240c924074995651c4ccac15ddfd0070beff93625dcea9db118ab32bad61d
File name: B23EAF.exe
Sandbox: Hybrid-Analysis
Samples
Malspam Delivers Pony and LokiBot 031818
Password is “infected”
Article Link: https://malwarebreakdown.com/2018/03/19/malspam-delivers-pony-and-loki-bot/