General
-
Target
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
-
Size
131KB
-
Sample
241029-pzh12svhnj
-
MD5
196fb761aa0f295e150b75bd8ad638b4
-
SHA1
c209ef825b7f80e43f3c904efbc2df582117eeb0
-
SHA256
86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6
-
SHA512
38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85
-
SSDEEP
96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ
Static task
static1
Behavioral task
behavioral1
Sample
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Extracted
lokibot
http://94.156.177.220/logs/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta
-
Size
131KB
-
MD5
196fb761aa0f295e150b75bd8ad638b4
-
SHA1
c209ef825b7f80e43f3c904efbc2df582117eeb0
-
SHA256
86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6
-
SHA512
38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85
-
SSDEEP
96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ
-
Lokibot family
-
Blocklisted process makes network request
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-