2018-11-26 - INFECTION FROM MALSPAM PUSHING LOKIBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the email:  2018-11-26-Lokibot-malspam-0654-UTC.eml.zip   347 kB (347,348 bytes)

• 2018-11-26-Lokibot-malspam-0654-UTC.eml   (458,848 bytes)

• Zip archive of the infection traffic:  2018-11-26-Lokibot-infection-traffic.pcap.zip   4 kB (4,239 bytes)

• 2018-11-26-Lokibot-infection-traffic.pcap   (8,218 bytes)

• Zip archive of the malware:  2018-11-26-malware-from-Lokibot-infection.zip   675 kB (675,086 bytes)

• 2018-11-26-Lokibot-extracted-from-attached-archive.exe   (1,111,864 bytes)
• 2018-11-26-archive-file-attached-to-malspam.zip   (336,998 bytes)

NOTES:

• I've seen "Lokibot" also spelled as "Loki-bot".
• Even though I can find Lokibot every day, it's still the same type of infection without any surprises, which is why I don't often blog about it.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest anything to the following domain:

• zereocompany[.]com

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

• Date:  Monday, 2018-11-26 at 06:54 UTC
• Subject:  PURCHASE ORDER/PROFORMA-26-11-08
• From:  Jin Sui Ying <crisjinsuiying@126[.]com>
• Received: from ngay25-10.com (csikx006233-EU-FR-IKDC2-Z5-BASIC.ikexpress[.]com [109.238.6[.]233])
• Message-ID:  <f2809fdf536a980417e17cedd781bfbc@alfred[.]com>
• Attachment name:  scan001_2670170.gz   (actually a zip archive)

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Following the TCP stream from an HTTP request in the post-infection traffic.

 

INFECTION TRAFFIC:

• 192.162.244[.]14 port 80 - www.zereocompany[.]com - POST /bazzltd/roks04/fre.php HTTP/1.0
• 194.87.93[.]62 port 80 - www.zereocompany[.]com - POST /bazzltd/roks04/fre.php HTTP/1.0

 

MALWARE

EMAIL ATTACHMENT (ZIP ARCHIVE):

• SHA256 hash:  6fe65cd4c70581a08fd4c027ce6e670125ebe8f5544e91f417389988b8ab5547
  File size:  336,998 bytes
  File name:  scan001_2670170.gz

EXTRACTED LOKIBOT MALWARE:

• SHA256 hash:  74f24d80ca15fd2123604c562e60908de928cd2742ba2783aeba4dae91faefb6
  File size:  1,111,864 bytes
  File name:  scan001_2670170.exe
  File location after infection:  C:\Users\[username]\AppData\Roaming\D22054\40274E.exe

 

Shown above:  Windows registry update to keep the Lokibot infection persistent.

 

Click here to return to the main page.