General

  • Target

    706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342.hta

  • Size

    206KB

  • Sample

    241106-dcl9eawlcm

  • MD5

    64d1fd56bfbbb3698a9550ea63759364

  • SHA1

    dcb935d539fa987f85bdda8bf43ac3d2f368df13

  • SHA256

    706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342

  • SHA512

    906a7a5df0c4891a3a89abc253a494efbb382e2a75f035b3aabc6cdac94f9b09324f370e326b12edd461f21a889d41c041bd44131c334e0b2b395ff813fc1e93

  • SSDEEP

    48:4FhWsTR/F7gNqXfDx4l0i2F4B0i2Nq87ONSK4EkcdQ03+ljAymG987n1adW4yV4u:43F97/OlLBgTK9Q03+ljNAolv2lq/Q

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342.hta

    • Size

      206KB

    • MD5

      64d1fd56bfbbb3698a9550ea63759364

    • SHA1

      dcb935d539fa987f85bdda8bf43ac3d2f368df13

    • SHA256

      706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342

    • SHA512

      906a7a5df0c4891a3a89abc253a494efbb382e2a75f035b3aabc6cdac94f9b09324f370e326b12edd461f21a889d41c041bd44131c334e0b2b395ff813fc1e93

    • SSDEEP

      48:4FhWsTR/F7gNqXfDx4l0i2F4B0i2Nq87ONSK4EkcdQ03+ljAymG987n1adW4yV4u:43F97/OlLBgTK9Q03+ljNAolv2lq/Q

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks