General
-
Target
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta
-
Size
178KB
-
Sample
241119-gqwa1ssaml
-
MD5
a54bdd270a424ec79b735ef6b513c2e4
-
SHA1
465738a3e31b16ad80c44f3dc7bdd762e402cb51
-
SHA256
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
-
SHA512
598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61
-
SSDEEP
96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ
Static task
static1
Behavioral task
behavioral1
Sample
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
lokibot
http://94.156.177.95/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta
-
Size
178KB
-
MD5
a54bdd270a424ec79b735ef6b513c2e4
-
SHA1
465738a3e31b16ad80c44f3dc7bdd762e402cb51
-
SHA256
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
-
SHA512
598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61
-
SSDEEP
96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ
-
Lokibot family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-