Introduction

I posted two diaries last year (2018) about Lokibot malware (sometimes spelled "Loki-bot").  One was in June 2018 and one was in December 2018.  It's been a while, so I wanted to share a recent example that came to my blog's admin email on Tuesday 2019-11-12.

The email

You can get a copy of the sanitized email from this Any.Run link.

Shown above:  A copy of the email opened in Thunderbird.

The attachment was a RAR archive (link) and the RAR archive contained a Windows executable file disguised as a PDF document (link).

Shown above:  The attached RAR archive and the extracted Windows executable file.

The infection traffic

Infection traffic is easily detectable by signatures from the EmergingThreats Open ruleset.

Shown above:  Traffic from an infection filtered in Wireshark.

Shown above:  TCP stream from one of the HTTP requests caused by my sample of Lokibot malware.

Shown above:  EmergingThreats alerts from an Any.Run sandbox analysis of the Windows executable file.

Post-infection forensics on an infected Windows host

I was able to infect a Windows 10 host in my lab environment, and Lokibot made itself persistent through the Windows registry.

Shown above:  Lokibot on an infected Windows host.

Shown above:  Windows registry update caused by Lokibot to stay persistent.

Final words

SHA256 hash of the email:

• 85bf9dd2d8379099b57b798203d0a1a6e9f189d66d6b690600ed0c19ec09ec24

SHA256 hash of the attached RAR archive:

• b72194e63859303739018acc18faf5d8f8fd2574d970b0215b3bfa0403089ece

SHA256 hash of the extracted Windows executable file (Lokibot malware):

• b15f4d45a37b383a9d84510faac2e9fe418a9562aecc29f7e96497e9a6af0304
  • Any.Run analysis
  • CAPE sandbox analysis
  • Hybrid-analysis.com sandbox analysis

--
Brad Duncan
brad [at] malware-traffic-analysis.net