2021-08-05 Lokibot IOCs

1. THREAT IDENTIFICATION: LOKIBOT
2.  
3. SUBJECTS OBSERVED
4. Purchase Order NO_4082021
5.  
6. SENDERS OBSERVED
7. [email protected]
8.  
9. MALDOC FILE HASHES
10. Purchase Order NO_4082021.xlsx
11. 7c93eb8e06a1734cd40e729172eae349
12.  
13. LOKIBOT PAYLOAD URLS
14. http://revolver-reloaded.de/contentcj/vutomecj.exe
15.  
16. LOKIBOT PAYLOAD FILE HASHES
17. 97071E.exe
18. 7598c86263182dca909e4b70a6e5f2bb
19.  
20. LOKIBOT C2
21. http://arkt.xyz/mrtker4/w2/fre.php
22.  
23. C2 PACKET CONTENTS
24. POST /mrtker4/w2/fre.php HTTP/1.0
25. User-Agent: Mozilla/4.08 (Charon; Inferno)
26. Host: arkt.xyz
27. Accept: */*
28. Content-Type: application/octet-stream
29. Content-Encoding: binary
30. Content-Key: A1795E60
31. Content-Length: 176
32. Connection: close
33.  
34. HTTP/1.1 404 Not Found
35. Date: Thu, 05 Aug 2021 13:52:35 GMT
36. Content-Type: text/html; charset=UTF-8
37. Connection: close
38. status: 404 Not Found
39. CF-Cache-Status: DYNAMIC
40. Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BSaFzWv8HeVhuZWpAhC6PlLzkid1Efgk3Y348HcFZtYKQAKnLrKPoaKsJhWjc8xJRH6WMIW%2B7Wa3fXDMvbrFdNDQ%2FZOuyGD3i0uOlULiQemtoct5n1zkzCg5mw%3D%3D"}],"group":"cf-nel","max_age":604800}
41. NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
42. Server: cloudflare
43. CF-RAY: 67a081bd89dd4bbf-YUL
44. alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
45.  
46. SUPPORTING EVIDENCE
47. https://app.any.run/tasks/0f19c470-3fdb-41e9-81d7-733dbabaab02/
48.