General

  • Target

    b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta

  • Size

    130KB

  • Sample

    241026-c22jysycjf

  • MD5

    401fa9878282b2404925d1ac2599b7c0

  • SHA1

    876d5ea4b89ef48cd614fc098154e3e2caa176f3

  • SHA256

    b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

  • SHA512

    45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63

  • SSDEEP

    96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta

    • Size

      130KB

    • MD5

      401fa9878282b2404925d1ac2599b7c0

    • SHA1

      876d5ea4b89ef48cd614fc098154e3e2caa176f3

    • SHA256

      b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

    • SHA512

      45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63

    • SSDEEP

      96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks