2018-03-09 - LOKIBOT INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the pcap: 2018-03-09-Lokibot-infection-traffic.pcap.zip 3.5 kB (3,515 bytes)
- 2018-03-09-Lokibot-infection-traffic.pcap (13,961 bytes)
- Zip archive of the email and malware: 2018-03-09-Lokibot-email-and-malware.zip 603 kB (602,875 bytes)
- 2018-03-09-Lokibot-malspam-1315-UTC.eml (272,305 bytes)
- contract_2018870028.exe (215,040 bytes)
- contract_2018870028.zip (197,595 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domain:
- sir-iyke[.]com
Shown above: Screenshot of the email.
EMAIL INFORMATION:
- Date: Friday, 2018-03-09 at 13:15 UTC
- Subject: RE: signed contract and invoice
- From: "Muhammed Sebe" <sharon@mccourtmfg[.]com>
- Received: from mccourtmfg[.]com ([191.101.23[.]150])
- Message-ID: <20180309211511.EA93BE98B1BD16D3@mccourtmfg[.]com>
- Attachment name: contract_2018870028.zip
Shown above: Extracted malware from the zip attachment.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Following the TCP stream from an HTTP request in the post-infection traffic.
INFECTION TRAFFIC:
- 169.255.59[.]27 port 80 - sir-iyke[.]com - POST /five/fre.php HTTP/1.0
MALWARE
EMAIL ATTACHMENT (ZIP ARCHIVE):
- SHA256 hash: f8dd28f9ef8c4c72363f25233c159054848682ac3d8b0c591c78aa0beda82cf7
File size: 197,595 bytes
File name: contract_2018870028.zip
EXTRACTED LOKIBOT MALWARE:
- SHA256 hash: 905c6e5f5c773b7f4e090b892c0e7c2b8f6e11ff01c8cd18435ced36291a235e
File size: 215,040 bytes
File name: contract_2018870028.exe
File location after infection: C:\Users\adolph.paxton\AppData\Roaming\D22054\40274E.exe
Shown above: Windows registry update to keep Lokibot infection persistent.
Click here to return to the main page.