General

  • Target

    seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta

  • Size

    131KB

  • Sample

    241029-pzh12svhnj

  • MD5

    196fb761aa0f295e150b75bd8ad638b4

  • SHA1

    c209ef825b7f80e43f3c904efbc2df582117eeb0

  • SHA256

    86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6

  • SHA512

    38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85

  • SSDEEP

    96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      seethebestthignswhichgivingbestthingstogetmakeuveryhappy.hta

    • Size

      131KB

    • MD5

      196fb761aa0f295e150b75bd8ad638b4

    • SHA1

      c209ef825b7f80e43f3c904efbc2df582117eeb0

    • SHA256

      86f7ef2ea14259c52d1fe1627978ef45a94fc4234c7328a1492da55a400703d6

    • SHA512

      38b7eaff75c6d2cc3b5da4ebb6c345247d35d44b29804c67227404942075db9abf6466716122be3cc4bcb7c8188e0aa3c3b69d9459fd1cff8f5177eaae028b85

    • SSDEEP

      96:4vCt7evwlevO+D4xMUrwKtkTt0cZPeIvdDveRAz5hg3vBQ:4vCFUWUiXwK2TpSbBQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks