I posted two diaries last year (2018) about Lokibot malware (sometimes spelled "Loki-bot"). One was in June 2018 and one was in December 2018. It's been a while, so I wanted to share a recent example that came to my blog's admin email on Tuesday 2019-11-12.
You can get a copy of the sanitized email from this Any.Run link.
The infection traffic
Infection traffic is easily detectable by signatures from the EmergingThreats Open ruleset.
Post-infection forensics on an infected Windows host
I was able to infect a Windows 10 host in my lab environment, and Lokibot made itself persistent through the Windows registry.
SHA256 hash of the email:
SHA256 hash of the attached RAR archive:
SHA256 hash of the extracted Windows executable file (Lokibot malware):
Nov 13th 2019
4 weeks ago