General

  • Target

    kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

  • Size

    178KB

  • Sample

    241115-vrdz1syale

  • MD5

    43f15554d66e784d988aa2da3ed2a136

  • SHA1

    6d0fb362a8aa62a046e25435e6a525e2ca61492d

  • SHA256

    5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8

  • SHA512

    2c06f6a513bd10d648dfec384fc1056b0e8f39a830e0671f9098961076de61ac7db5e0dc7724a7ffd403a4769b90324aeb785d0b16c13dfe7dd24342a9460cd9

  • SSDEEP

    96:4vCl17J1YiZVGTVy1YiZQGTVMFxfwVXNewJrC1YiZo1YiZDjGTVs1YiZkQ:4vCldfhjGTOheGTqHwShohxjGTYhuQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      kissmegoodthingwhichgivemebestthignswithgirluaremy.hta

    • Size

      178KB

    • MD5

      43f15554d66e784d988aa2da3ed2a136

    • SHA1

      6d0fb362a8aa62a046e25435e6a525e2ca61492d

    • SHA256

      5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8

    • SHA512

      2c06f6a513bd10d648dfec384fc1056b0e8f39a830e0671f9098961076de61ac7db5e0dc7724a7ffd403a4769b90324aeb785d0b16c13dfe7dd24342a9460cd9

    • SSDEEP

      96:4vCl17J1YiZVGTVy1YiZQGTVMFxfwVXNewJrC1YiZo1YiZDjGTVs1YiZkQ:4vCldfhjGTOheGTqHwShohxjGTYhuQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks