2021-02-17 Lokibot IOCs

1. THREAT ATTRIBUTION: LOKIBOT / AVE MARIA?
2.  
3. ANALYST NOTES
4. I thought that the combination of a cutt.ly forward to download an .exe is usually indicative of Ave Maria.
5. However, the C2 traffic out to fre.php is clearly Lokibot.
6.  
7. SUBJECTS OBSERVED
8. Statement for month-end Jan 2021 T/T payment
9.  
10. SENDERS OBSERVED
11. [email protected]
12.  
13. MALDOC FILE HASHES
14. Payment list.xlsx
15. 010f2db66f5ffec899d9990e3316b37c
16. McAfee=Y
17.  
18. Statement.xlsx
19. 010f2db66f5ffec899d9990e3316b37c
20. McAfee=Y
21.  
22. LOKIBOT PAYLOAD URLS
23. https://cutt.ly/0kLb8eI
24. http://kungsb2stdygotchtstf.dns.army/kung2doc/winlog.exe
25.  
26. LOKIBOT PAYLOAD FILE HASHES
27. winlog.exe
28. 8cc9a32f8cf03de89a1a9235ae206cd0
29.  
30. It's renamed and moved here:
31. C:\users\analyst\AppData\Roaming\17E4D9
32. 97071E.exe
33. 8cc9a32f8cf03de89a1a9235ae206cd0
34.  
35. LOKIBOT C2
36. http://becharnise.ir/fb3/fre.php
37.  
38. ADDITIONAL FILES
39. I also found the following - I don't know if they're malicious:
40.  
41. C:\users\analyst\AppData\Local\Temp
42. 76v7xb.dll
43. 43b77e01a8b6f3af6500fe732941f66d
44.  
45. C:\users\analyst\AppData\Local\Temp\nsdEED6.tmp
46. System.dll
47. fccff8cb7a1067e23fd2e2b63971a8e1
48.  
49. From Virustotal:
50. "This is the System.dll file component of Nullsoft Scriptable Install System Portable v3.06.1 (nsis-3.06.1)
51. Malware may had utilized it for a bad purpose."
52.  
53. SUPPORTING EVIDENCE
54. https://app.any.run/tasks/d071d34e-b9d2-440e-be70-7b24d6ae3bec/
55.