Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Internet Storm Center Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

An example of malspam pushing Lokibot malware, November 2019

Published: 2019-11-13
Last Updated: 2019-11-13 01:11:37 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

I posted two diaries last year (2018) about Lokibot malware (sometimes spelled "Loki-bot").  One was in June 2018 and one was in December 2018.  It's been a while, so I wanted to share a recent example that came to my blog's admin email on Tuesday 2019-11-12.

The email

You can get a copy of the sanitized email from this Any.Run link.


Shown above:  A copy of the email opened in Thunderbird.

The attachment was a RAR archive (link) and the RAR archive contained a Windows executable file disguised as a PDF document (link).


Shown above:  The attached RAR archive and the extracted Windows executable file.

The infection traffic

Infection traffic is easily detectable by signatures from the EmergingThreats Open ruleset.


Shown above:  Traffic from an infection filtered in Wireshark.


Shown above:  TCP stream from one of the HTTP requests caused by my sample of Lokibot malware.


Shown above:  EmergingThreats alerts from an Any.Run sandbox analysis of the Windows executable file.

Post-infection forensics on an infected Windows host

I was able to infect a Windows 10 host in my lab environment, and Lokibot made itself persistent through the Windows registry.


Shown above:  Lokibot on an infected Windows host.


Shown above:  Windows registry update caused by Lokibot to stay persistent.

Final words

SHA256 hash of the email:

SHA256 hash of the attached RAR archive:

SHA256 hash of the extracted Windows executable file (Lokibot malware):

--
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: exe lokibot malspam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

November 2019 Microsoft Patch Tuesday
Nov 12th 2019
1 day ago by Johannes (0 comments)

Are We Going Back to TheMoon (and How is Liquor Involved)?
Nov 11th 2019
2 days ago by Johannes (0 comments)

Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?
Nov 10th 2019
4 days ago by Jan (0 comments)

Fake Netflix Update Request by Text
Nov 9th 2019
4 days ago by Guy (0 comments)

Microsoft Apps Diverted from Their Main Use
Nov 8th 2019
6 days ago by Xme (0 comments)

Getting the best value out of security assessments
Nov 7th 2019
1 week ago by Bojan (0 comments)

View All Diaries →

Latest Discussions

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
2 weeks ago by Anonymous (0 replies)

Recommended Desktop Antivirus to use?
created Oct 21st 2019
3 weeks ago by Anonymous (0 replies)

Suspicious Domain Scoring
created Oct 4th 2019
1 month ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
2 months ago by Adi (2 replies)

Attack
created Aug 14th 2019
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
4 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)