2017-09-20 - LOKIBOT INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-09-20-Lokibot-infection-traffic.pcap.zip   158.9 kB (158,939 bytes)

• 2017-09-20-Lokibot-infection-traffic.pcap   (398,387 bytes)

• 2017-09-20-Lokibot-malspam-0809-UTC.eml.zip   20.2 kB (20,249 bytes)

• 2017-09-20-Loki-bot-malspam-0809-UTC.eml   (53,254 bytes)

• 2017-09-20-malware-from-Lokibot-infection.zip   197.5 kB (197,525 bytes)

• LPO#20092017.xls   (36,820 bytes)
• voke.exe   (483,328 bytes)

 

EMAIL

Shown above:  Screenshot from the email seen on 2017-09-20.

 

EMAIL HEADER INFORMATION:

• Date:  Wednesday, 2017-09-20 08:09 UTC
• Subject:  RFQ: FROM: Fortune Sciences Co., Ltd
• Message-ID:  <6e489ba9249990691deade3b19cd839b@foodxervices[.]com>
• From:  "Khin Htun" <mili@foodxervices[.]com>

 

Shown above:  Malicious Excel spreadsheet attached to the email.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED TRAFFIC:

• 185.165.29[.]55 port 80 - 185.165.29[.]55 - GET /voke.exe
• 185.165.29[.]123 port 80 - 185.165.29[.]123 - POST /voke/fre.php

 

MALWARE

EXCEL SPREADSHEET ATTACHED TO THE EMAIL:

• SHA256 hash:  e618be36548c349562bbdc6c4d68efcb2c86b4354037e9014fd91eea3ec0a0ca
  File size:  36,820 bytes
  File name:  LPO#20092017.xls

FOLLOW-UP MALWARE (LOKIBOT):

• SHA256 hash:  769bdfc3c5938b42d008937bc91e8959a22caf2fbbd2583c84cca878f96ac6e6
  File size:  483,328 bytes

 

Click here to return to the main page.