Last Updated: 2019-11-13 01:11:37 UTC
by Brad Duncan (Version: 1)
I posted two diaries last year (2018) about Lokibot malware (sometimes spelled "Loki-bot"). One was in June 2018 and one was in December 2018. It's been a while, so I wanted to share a recent example that came to my blog's admin email on Tuesday 2019-11-12.
You can get a copy of the sanitized email from this Any.Run link.
The infection traffic
Infection traffic is easily detectable by signatures from the EmergingThreats Open ruleset.
Shown above: EmergingThreats alerts from an Any.Run sandbox analysis of the Windows executable file.
Post-infection forensics on an infected Windows host
I was able to infect a Windows 10 host in my lab environment, and Lokibot made itself persistent through the Windows registry.
SHA256 hash of the email:
SHA256 hash of the attached RAR archive:
SHA256 hash of the extracted Windows executable file (Lokibot malware):
brad [at] malware-traffic-analysis.net