General

  • Target

    fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta

  • Size

    204KB

  • Sample

    241026-dtvl4swrf1

  • MD5

    9dbf5ee2610284f5668fb229ba474b95

  • SHA1

    12b3f4c93e36b9bca1bfecf8fa522748d3631c74

  • SHA256

    fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0

  • SHA512

    06fe1b0e3ca4e04108fa8a50f60867e42f38e60768aebbc8935a7c24b973cf3546f6f7f4548e9fac67cebe552319d7323fee5eeaa87dc5f958aa23377cb3ccb2

  • SSDEEP

    96:Eac75KAtf7aRNeKmo4T5vc1IPqCwFifcu7T:EaA52RNevpJVfZT

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0.hta

    • Size

      204KB

    • MD5

      9dbf5ee2610284f5668fb229ba474b95

    • SHA1

      12b3f4c93e36b9bca1bfecf8fa522748d3631c74

    • SHA256

      fcc1b8c11b5cae212cbdb9b7aaa083da59ccab319816d7ef8e37c2856347b0f0

    • SHA512

      06fe1b0e3ca4e04108fa8a50f60867e42f38e60768aebbc8935a7c24b973cf3546f6f7f4548e9fac67cebe552319d7323fee5eeaa87dc5f958aa23377cb3ccb2

    • SSDEEP

      96:Eac75KAtf7aRNeKmo4T5vc1IPqCwFifcu7T:EaA52RNevpJVfZT

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks