General

  • Target

    greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta

  • Size

    131KB

  • Sample

    241029-pf13hsvglm

  • MD5

    cbb8dddfef9d1d2893d4a4b51b4f0dab

  • SHA1

    595c2221b9613342ed4a82c235ea19fe9c0383f9

  • SHA256

    e25677838f8394ed8b59c431e454e3bd0ec107421ef1a2502c5167bdd1340ddc

  • SHA512

    1daa9c96c9ba2e6e1939ab2b82e9a8f771f9ba0d4c4d088214864034aa9084483c1f42e5436f32043809a0346f0d59d84eb902946e6f1672175e22cac042d4a4

  • SSDEEP

    192:4vCFXMFgYPCgYmHUCYc6dEMoyzsDxgYtaXQ:0CF8qYPRYmHU1Jyh2saYtag

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta

    • Size

      131KB

    • MD5

      cbb8dddfef9d1d2893d4a4b51b4f0dab

    • SHA1

      595c2221b9613342ed4a82c235ea19fe9c0383f9

    • SHA256

      e25677838f8394ed8b59c431e454e3bd0ec107421ef1a2502c5167bdd1340ddc

    • SHA512

      1daa9c96c9ba2e6e1939ab2b82e9a8f771f9ba0d4c4d088214864034aa9084483c1f42e5436f32043809a0346f0d59d84eb902946e6f1672175e22cac042d4a4

    • SSDEEP

      192:4vCFXMFgYPCgYmHUCYc6dEMoyzsDxgYtaXQ:0CF8qYPRYmHU1Jyh2saYtag

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks