General

  • Target

    greatthingswithmegood.hta

  • Size

    169KB

  • Sample

    241030-jathlaxncs

  • MD5

    d61ef0038de65f697abb0b7a21b499db

  • SHA1

    f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8

  • SHA256

    8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93

  • SHA512

    3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223

  • SSDEEP

    48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      greatthingswithmegood.hta

    • Size

      169KB

    • MD5

      d61ef0038de65f697abb0b7a21b499db

    • SHA1

      f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8

    • SHA256

      8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93

    • SHA512

      3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223

    • SSDEEP

      48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks