General

  • Target

    seethebestthingsevermeetwithgreatthingstobegood.hta

  • Size

    204KB

  • Sample

    241025-kpfqqayckl

  • MD5

    964a54d784f1cbef1effaa3ab917fcbc

  • SHA1

    6d9d2657d1a8277a3427e0819e8260a2ac341e93

  • SHA256

    862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5

  • SHA512

    c9e0b1cc0597c98f103a84cab21e4fdf4b6d4306db22f3ebd3bccdf08870cf8cb38c7e58047f77f8375059a206294885c4eca91eca8cb14530336620868563cb

  • SSDEEP

    96:Eac75EdYJF9OfdYJh9OC/7oRD1gnQbPy9YhrrudYJOdYJEA9OqdYJG7T:EaA5EmFwfmhwYUZ2mOmEAwqm0T

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      seethebestthingsevermeetwithgreatthingstobegood.hta

    • Size

      204KB

    • MD5

      964a54d784f1cbef1effaa3ab917fcbc

    • SHA1

      6d9d2657d1a8277a3427e0819e8260a2ac341e93

    • SHA256

      862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5

    • SHA512

      c9e0b1cc0597c98f103a84cab21e4fdf4b6d4306db22f3ebd3bccdf08870cf8cb38c7e58047f77f8375059a206294885c4eca91eca8cb14530336620868563cb

    • SSDEEP

      96:Eac75EdYJF9OfdYJh9OC/7oRD1gnQbPy9YhrrudYJOdYJEA9OqdYJG7T:EaA5EmFwfmhwYUZ2mOmEAwqm0T

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks