General
-
Target
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
-
Size
130KB
-
Sample
241026-c22jysycjf
-
MD5
401fa9878282b2404925d1ac2599b7c0
-
SHA1
876d5ea4b89ef48cd614fc098154e3e2caa176f3
-
SHA256
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948
-
SHA512
45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63
-
SSDEEP
96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T
Static task
static1
Behavioral task
behavioral1
Sample
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Extracted
lokibot
http://94.156.177.220/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
-
Size
130KB
-
MD5
401fa9878282b2404925d1ac2599b7c0
-
SHA1
876d5ea4b89ef48cd614fc098154e3e2caa176f3
-
SHA256
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948
-
SHA512
45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63
-
SSDEEP
96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T
-
Lokibot family
-
Blocklisted process makes network request
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-