General
-
Target
ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta
-
Size
178KB
-
Sample
241116-rqsv1ayajg
-
MD5
5476ba599869d81abee08f38f1c1a1d9
-
SHA1
46748779ec123145fdf90942c9df65d0099c9a99
-
SHA256
ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669
-
SHA512
516531534bee5995295659464f480c6d12909668fdb623c0c02dd93c9055df7bb203833e4e84416b31ef923dff8057f76f0e850bb84c53096cac43cdf2d04edd
-
SSDEEP
96:4vCl172Xu01IhxXYcQu01IhPXYZxd7b2+sMdHeu01IhLu01Ih5XY4u01Iht5Q:4vCldarG1QrGsx92+KrGLrGZrGLQ
Static task
static1
Behavioral task
behavioral1
Sample
ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta
-
Size
178KB
-
MD5
5476ba599869d81abee08f38f1c1a1d9
-
SHA1
46748779ec123145fdf90942c9df65d0099c9a99
-
SHA256
ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669
-
SHA512
516531534bee5995295659464f480c6d12909668fdb623c0c02dd93c9055df7bb203833e4e84416b31ef923dff8057f76f0e850bb84c53096cac43cdf2d04edd
-
SSDEEP
96:4vCl172Xu01IhxXYcQu01IhPXYZxd7b2+sMdHeu01IhLu01Ih5XY4u01Iht5Q:4vCldarG1QrGsx92+KrGLrGZrGLQ
-
Lokibot family
-
Blocklisted process makes network request
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-