2017-09-20 - LOKI BOT MALSPAM - SUBJECT: RFQ: FROM: FORTUNE SCIENCES CO., LTD
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-09-20-Loki-bot-malspam-traffic.pcap.zip 159 kB (158,937 bytes)
- 2017-09-20-Loki-bot-malspam-traffic.pcap (398,387 bytes)
- Zip archive of the email and associated malware: 2017-09-20-Loki-bot-malspam-and-artifacts.zip 217 kB (217,374 bytes)
- 2017-09-20-Loki-bot-malspam-0809-UTC.eml (53,254 bytes)
- LPO#20092017.xls (36,820 bytes)
- voke.exe (483,328 bytes)
Shown above: Screenshot from the email seen on 2017-09-20.
EMAIL HEADER INFORMATION:
- Date: Wednesday, 2017-09-20 08:09 UTC
- Subject: RFQ: FROM: Fortune Sciences Co., Ltd
- Message-ID: <6e489ba9249990691deade3b19cd839b@foodxervices.com>
- From: "Khin Htun" <mili@foodxervices.com>
Shown above: Malicious Excel spreadsheet attached to the email.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED TRAFFIC:
- 185.165.29.55 port 80 - 185.165.29.55 - GET /voke.exe
- 185.165.29.123 port 80 - 185.165.29.123 - POST /voke/fre.php
MALWARE
EXCEL SPREADSHEET ATTACHED TO THE EMAIL:
- SHA256 hash: e618be36548c349562bbdc6c4d68efcb2c86b4354037e9014fd91eea3ec0a0ca
File size: 36,820 bytes
File name: LPO#20092017.xls
FOLLOW-UP MALWARE (LOKI BOT):
- SHA256 hash: 769bdfc3c5938b42d008937bc91e8959a22caf2fbbd2583c84cca878f96ac6e6
File size: 483,328 bytes
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-09-20-Loki-bot-malspam-traffic.pcap.zip 159 kB (158,937 bytes)
- Zip archive of the email and associated malware: 2017-09-20-Loki-bot-malspam-and-artifacts.zip 217 kB (217,374 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.