General

  • Target

    ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta

  • Size

    178KB

  • Sample

    241116-rqsv1ayajg

  • MD5

    5476ba599869d81abee08f38f1c1a1d9

  • SHA1

    46748779ec123145fdf90942c9df65d0099c9a99

  • SHA256

    ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669

  • SHA512

    516531534bee5995295659464f480c6d12909668fdb623c0c02dd93c9055df7bb203833e4e84416b31ef923dff8057f76f0e850bb84c53096cac43cdf2d04edd

  • SSDEEP

    96:4vCl172Xu01IhxXYcQu01IhPXYZxd7b2+sMdHeu01IhLu01Ih5XY4u01Iht5Q:4vCldarG1QrGsx92+KrGLrGZrGLQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta

    • Size

      178KB

    • MD5

      5476ba599869d81abee08f38f1c1a1d9

    • SHA1

      46748779ec123145fdf90942c9df65d0099c9a99

    • SHA256

      ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669

    • SHA512

      516531534bee5995295659464f480c6d12909668fdb623c0c02dd93c9055df7bb203833e4e84416b31ef923dff8057f76f0e850bb84c53096cac43cdf2d04edd

    • SSDEEP

      96:4vCl172Xu01IhxXYcQu01IhPXYZxd7b2+sMdHeu01IhLu01Ih5XY4u01Iht5Q:4vCldarG1QrGsx92+KrGLrGZrGLQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks