General

  • Target

    goodthingstoapprovethebestwaytounderstandhowmuchgood.hta

  • Size

    131KB

  • Sample

    241029-g39zyavkfk

  • MD5

    c8cbdfd8a9cde5597983e48f8a9dff18

  • SHA1

    df42a953a8f67e4bc41d8cb1cc9a707bd358617c

  • SHA256

    98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7

  • SHA512

    18a54603e30fa03c6f6671a0d47eb7fe9942f7aefc038649222aa204561a3c50fe775c2c83c4d240757ef82fcbdaa4c86c8fe1e249c30abdd6bc76b16a8b4587

  • SSDEEP

    96:4vCt7Qm6c4rJAcUJrH6FE4/JCgfXjaPW8/85ScHtcYggzZbrUZcKqQ:4vCF3KrJ2rg3Ugy6rDQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      goodthingstoapprovethebestwaytounderstandhowmuchgood.hta

    • Size

      131KB

    • MD5

      c8cbdfd8a9cde5597983e48f8a9dff18

    • SHA1

      df42a953a8f67e4bc41d8cb1cc9a707bd358617c

    • SHA256

      98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7

    • SHA512

      18a54603e30fa03c6f6671a0d47eb7fe9942f7aefc038649222aa204561a3c50fe775c2c83c4d240757ef82fcbdaa4c86c8fe1e249c30abdd6bc76b16a8b4587

    • SSDEEP

      96:4vCt7Qm6c4rJAcUJrH6FE4/JCgfXjaPW8/85ScHtcYggzZbrUZcKqQ:4vCF3KrJ2rg3Ugy6rDQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks