General
-
Target
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
-
Size
178KB
-
Sample
241120-hw3gysshmf
-
MD5
4ce3b0e612e1968b6c491ab1ab818884
-
SHA1
cbc890a816e9b7e993c90fb63d51526a76616323
-
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
-
SHA512
9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816
-
SSDEEP
96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
Static task
static1
Behavioral task
behavioral1
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win10v2004-20241007-en
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
-
Size
178KB
-
MD5
4ce3b0e612e1968b6c491ab1ab818884
-
SHA1
cbc890a816e9b7e993c90fb63d51526a76616323
-
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
-
SHA512
9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816
-
SSDEEP
96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
-
Lokibot family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1