General
-
Target
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
-
Size
178KB
-
Sample
241118-v6j5kssbql
-
MD5
e80a6dc30c45134e8c433ef07277022f
-
SHA1
9041ab7b0cf03e4c18f86ff32eac95c3ad06f462
-
SHA256
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
-
SHA512
6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8
-
SSDEEP
96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q
Static task
static1
Behavioral task
behavioral1
Sample
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
-
Size
178KB
-
MD5
e80a6dc30c45134e8c433ef07277022f
-
SHA1
9041ab7b0cf03e4c18f86ff32eac95c3ad06f462
-
SHA256
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
-
SHA512
6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8
-
SSDEEP
96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q
-
Lokibot family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1