# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/24372** ## Malspam pushing Lokibot malware **Published: 2018-12-04** **Last Updated: 2018-12-04 02:36:48 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/Malspam+pushing+Lokibot+malware/24372/#comments) **_Introduction_** [I've frequently seen malicious spam pushing Lokibot (also spelled "Loki-Bot") since 2017.](https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850) [This year, I've written diaries about it in February 2018 and](https://isc.sans.edu/forums/diary/3+examples+of+malspam+pushing+LokiBot+malware/23317/) [June 2018. I most recently](https://isc.sans.edu/forums/diary/More+malspam+pushing+Lokibot/23754/) [posted an example to my blog on 2018-11-26. This type of malicious spam shows no signs](https://www.malware-traffic-analysis.net/2018/11/26/index.html) of stopping, so here's a quick diary covering an example from Monday 2018-12-03. **_The email_** Templates for malicious spam pushing Lokibot vary, and the example from Monday 2018-1203 was disguised as a purchase quotation. The email contained an Excel spreadsheet with a macro designed to infect vulnerable Windows hosts with Lokibot malware. Potential victims need to click through warnings, so this is not an especially stealthy method of infection. ----- _Shown above: Screenshot of the email with an attached Excel spreadsheet._ **_Infection traffic_** A macro from the Excel spreadsheet retrieved Lokibot malware using HTTPS from a URL at **_a.doko[.]moe. I used_** [Fiddler to monitor the HTTPS traffic and determine the URL. The](https://www.telerik.com/fiddler) HTTPS request to a.doko[.]moe had no User-Agent string. If you use [curl to retrieve the](https://curl.haxx.se/) binary, you must use the -H option to exclude the User-Agent line from your HTTPS request. ----- _Shown above: Traffic from the infection filtered in Wireshark._ _Shown above: Using curl to retrieve the Lokibot malware binary from a.doko[.]moe._ _Shown above: Post-infection traffic from the Lokibot-infected Windows host._ **_Forensics on the infected host_** ----- The infected Windows host made Lokibot persistent through a Windows registry update. This registry update was quite similar to previous Lokibot infections I've generated in my lab environment. In this example, the infected host also had a VBS file in the Windows menu Startup folder. This pointed to another copy of the Lokibot malware executable; however, that executable had deleted itself during the infection. The only existing Lokibot executable was in the directory path listed in the associated Windows registry entry. _Shown above: Windows registry update to keep Lokibot persistent._ ----- _Shown above: VBS file in the Startup menu folder specifying a location where the malware_ _had deleted itself._ **_Indicators_** The following are indicators from an infected Windows host. Any URLs, IP addresses, and domain names have been "de-fanged" to avoid any issues when viewing today's diary. Traffic from an infected windows host: 185.83.215[.]3 port 443 - a.doko[.]moe - GET /tkencn.jpg (encrypted HTTPS traffic) 199.192.27[.]109 port 80 - decvit[.]ga - POST /and/cat.php Malware from an infected windows host: SHA256 hash: [58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8](https://cape.contextis.com/analysis/25246/) File size: 853,504 bytes File name: 62509871.xls File description: Attached Excel spreadsheet with macro to retrieve Lokibot SHA256 hash: [b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e](https://cape.contextis.com/analysis/25250/) File size: 853,504 bytes File location: hxxps://a.doko[.]moe/tkencn.jpg ----- File location: C:\Users\[username]\AppData\Roaming\44631D\D1B132.exe File location: C:\Users\[username]\AppData\Roaming\sticik\stickiy.exe (deleted itself during the infection) File description: Lokibot malware binary **_Final words_** [Email, pcap, and malware for the infection can be found here.](http://www.malware-traffic-analysis.net/2018/12/03/index.html) --Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: Lokibot](https://isc.sans.edu/tag.html?tag=Lokibot) [malspam](https://isc.sans.edu/tag.html?tag=malspam) [0 comment(s)](https://isc.sans.edu/forums/diary/Malspam+pushing+Lokibot+malware/24372/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/24372) Top of page × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----