Malware-Traffic-Analysis.net - 2018-01-08 - Malspam pushing Loki Bot malware

2018-01-08 - MALSPAM PUSHING LOKI BOT MALWARE

ASSOCIATED FILES:

Zip archive of the pcap: 2018-01-08-Loki-Bot-traffic.pcap.zip 3.9 kB (3,872 bytes)

2018-01-08-Loki-Bot-traffic.pcap (14,662 bytes)

Zip archive of the email and malware: 2018-01-08-Loki-Bot-email-and-malware.zip 1.4 MB (1,449,823 bytes)

2018-01-08-malspam-pushing-Loki-Bot-1531-UTC.txt (646,730 bytes)

swift copia rapida.Ace (468,346 bytes)

copia rapida.exe (882,176 bytes)

Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domain:

Shown above: Screenshot of the email.

EMAIL INFORMATION:

Shown above: Attached ".Ace" file is actually an RAR archive.

Shown above: Infection traffic in Wireshark.

POST-INFECTION TRAFFIC:

ATTACHMENT FROM THE MALSPAM:

SHA256 hash: 6c9842a60273cedaeac6cabbe83a364cf514fdc1b6c57845d6a6a16ebbf91f84
File size: 468,346 bytes
File name: swift copia rapida.Ace
NOTE: This is a RAR archive, not a ACE file.

LOKI BOT MALWARE EXTRACTED FROM THE RAR ARCHIVE:

SHA256 hash: 5931df88879e9f85851591a26d2b14fad0c4f3599a5222f06c154414cdcf79fe
File size: 882,176 bytes
File name: swift copia rapida.exe
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

Shown above: Registry key and associated file on the infected Windows host.

Once again, here are the associated files:

Zip archive of the pcap: 2018-01-08-Loki-Bot-traffic.pcap.zip 3.9 kB (3,872 bytes)
Zip archive of the email and malware: 2018-01-08-Loki-Bot-email-and-malware.zip 1.4 MB (1,449,823 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.