Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Internet Storm Center Internet Storm Center

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

An example of malspam pushing Lokibot malware, November 2019

Published: 2019-11-13
Last Updated: 2019-11-13 01:11:37 UTC
by Brad Duncan (Version: 1)
0 comment(s)


I posted two diaries last year (2018) about Lokibot malware (sometimes spelled "Loki-bot").  One was in June 2018 and one was in December 2018.  It's been a while, so I wanted to share a recent example that came to my blog's admin email on Tuesday 2019-11-12.

The email

You can get a copy of the sanitized email from this Any.Run link.

Shown above:  A copy of the email opened in Thunderbird.

The attachment was a RAR archive (link) and the RAR archive contained a Windows executable file disguised as a PDF document (link).

Shown above:  The attached RAR archive and the extracted Windows executable file.

The infection traffic

Infection traffic is easily detectable by signatures from the EmergingThreats Open ruleset.

Shown above:  Traffic from an infection filtered in Wireshark.

Shown above:  TCP stream from one of the HTTP requests caused by my sample of Lokibot malware.

Shown above:  EmergingThreats alerts from an Any.Run sandbox analysis of the Windows executable file.

Post-infection forensics on an infected Windows host

I was able to infect a Windows 10 host in my lab environment, and Lokibot made itself persistent through the Windows registry.

Shown above:  Lokibot on an infected Windows host.

Shown above:  Windows registry update caused by Lokibot to stay persistent.

Final words

SHA256 hash of the email:

SHA256 hash of the attached RAR archive:

SHA256 hash of the extracted Windows executable file (Lokibot malware):

Brad Duncan
brad [at]

Keywords: exe lokibot malspam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

November 2019 Microsoft Patch Tuesday
Nov 12th 2019
1 day ago by Johannes (0 comments)

Are We Going Back to TheMoon (and How is Liquor Involved)?
Nov 11th 2019
2 days ago by Johannes (0 comments)

Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?
Nov 10th 2019
4 days ago by Jan (0 comments)

Fake Netflix Update Request by Text
Nov 9th 2019
4 days ago by Guy (0 comments)

Microsoft Apps Diverted from Their Main Use
Nov 8th 2019
6 days ago by Xme (0 comments)

Getting the best value out of security assessments
Nov 7th 2019
1 week ago by Bojan (0 comments)

View All Diaries →

Latest Discussions

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
2 weeks ago by Anonymous (0 replies)

Recommended Desktop Antivirus to use?
created Oct 21st 2019
3 weeks ago by Anonymous (0 replies)

Suspicious Domain Scoring
created Oct 4th 2019
1 month ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
2 months ago by Adi (2 replies)

created Aug 14th 2019
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
4 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)