General

  • Target

    3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb.hta

  • Size

    206KB

  • Sample

    241109-cynhxsvhmc

  • MD5

    ee06f92a6abcd0b214c3251740547dbe

  • SHA1

    6c36d8fa208e1c6f97272ab9f14b4e6b1ff17f3b

  • SHA256

    3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb

  • SHA512

    8d198174ebef3ad98944261cff5eafa079557ca5fda0bfdd340d193eba49e306707f331586bf321ebdb401d40df645de0f411dd1d6592854c3730f3fdf54088b

  • SSDEEP

    48:4FhWsTR/F7gNqXfgaEJK4RJcB458p2ybuzkyq88oCxL/RNOeugGr4BJSFJkvhNcm:43F97/E1RXqfbutqSCxL/Rgeb4Frh/Q

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Extracted

Family

lokibot

C2

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb.hta

    • Size

      206KB

    • MD5

      ee06f92a6abcd0b214c3251740547dbe

    • SHA1

      6c36d8fa208e1c6f97272ab9f14b4e6b1ff17f3b

    • SHA256

      3b5f33baf9dbcbe033909735e6238ecf8c3f5aaf915d7298157fb07e034cf2bb

    • SHA512

      8d198174ebef3ad98944261cff5eafa079557ca5fda0bfdd340d193eba49e306707f331586bf321ebdb401d40df645de0f411dd1d6592854c3730f3fdf54088b

    • SSDEEP

      48:4FhWsTR/F7gNqXfgaEJK4RJcB458p2ybuzkyq88oCxL/RNOeugGr4BJSFJkvhNcm:43F97/E1RXqfbutqSCxL/Rgeb4Frh/Q

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks