{
	"id": "73655cd8-6bdf-4c89-a0af-5e023e5f8559",
	"created_at": "2026-04-06T00:16:18.708492Z",
	"updated_at": "2026-04-10T03:21:25.045553Z",
	"deleted_at": null,
	"sha1_hash": "c7b5a51bd8eda27a92786b06e84862643c799102",
	"title": "Malspam pushing Lokibot malware - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2530472,
	"plain_text": "Malspam pushing Lokibot malware - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 14:25:10 UTC\r\nIntroduction\r\nI've frequently seen malicious spam pushing Lokibot (also spelled \"Loki-Bot\") since 2017.  This year, I've written\r\ndiaries about it in February 2018 and June 2018.  I most recently posted an example to my blog on 2018-11-26. \r\nThis type of malicious spam shows no signs of stopping, so here's a quick diary covering an example from\r\nMonday 2018-12-03.\r\nThe email\r\nTemplates for malicious spam pushing Lokibot vary, and the example from Monday 2018-12-03 was disguised as\r\na purchase quotation.  The email contained an Excel spreadsheet with a macro designed to infect vulnerable\r\nWindows hosts with Lokibot malware.  Potential victims need to click through warnings, so this is not an\r\nespecially stealthy method of infection.\r\nhttps://isc.sans.edu/diary/24372\r\nPage 1 of 6\n\nShown above:  Screenshot of the email with an attached Excel spreadsheet.\r\nInfection traffic\r\nA macro from the Excel spreadsheet retrieved Lokibot malware using HTTPS from a URL at a.doko[.]moe.  I\r\nused Fiddler to monitor the HTTPS traffic and determine the URL.  The HTTPS request to a.doko[.]moe had no\r\nUser-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent\r\nline from your HTTPS request.\r\nhttps://isc.sans.edu/diary/24372\r\nPage 2 of 6\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nShown above:  Using curl to retrieve the Lokibot malware binary from a.doko[.]moe.\r\nShown above:  Post-infection traffic from the Lokibot-infected Windows host.\r\nForensics on the infected host\r\nhttps://isc.sans.edu/diary/24372\r\nPage 3 of 6\n\nThe infected Windows host made Lokibot persistent through a Windows registry update.  This registry update was\r\nquite similar to previous Lokibot infections I've generated in my lab environment.  In this example, the infected\r\nhost also had a VBS file in the Windows menu Startup folder.  This pointed to another copy of the Lokibot\r\nmalware executable; however, that executable had deleted itself during the infection.  The only existing Lokibot\r\nexecutable was in the directory path listed in the associated Windows registry entry.\r\nShown above:  Windows registry update to keep Lokibot persistent.\r\nhttps://isc.sans.edu/diary/24372\r\nPage 4 of 6\n\nShown above:  VBS file in the Startup menu folder specifying a location where the malware had deleted itself.\r\nIndicators\r\nThe following are indicators from an infected Windows host.  Any URLs, IP addresses, and domain names have\r\nbeen \"de-fanged\" to avoid any issues when viewing today's diary.\r\nTraffic from an infected windows host:\r\n185.83.215[.]3 port 443 - a.doko[.]moe - GET /tkencn.jpg   (encrypted HTTPS traffic)\r\n199.192.27[.]109 port 80 - decvit[.]ga - POST /and/cat.php\r\nMalware from an infected windows host:\r\nSHA256 hash:  58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8\r\nFile size:  853,504 bytes\r\nFile name:  62509871.xls\r\nFile description:  Attached Excel spreadsheet with macro to retrieve Lokibot\r\nSHA256 hash:  b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e\r\nFile size:  853,504 bytes\r\nFile location:  hxxps://a.doko[.]moe/tkencn.jpg\r\nFile location:  C:\\Users\\[username]\\AppData\\Roaming\\44631D\\D1B132.exe\r\nFile location:  C:\\Users\\[username]\\AppData\\Roaming\\sticik\\stickiy.exe   (deleted itself during the\r\ninfection)\r\nhttps://isc.sans.edu/diary/24372\r\nPage 5 of 6\n\nFile description:  Lokibot malware binary\r\nFinal words\r\nEmail, pcap, and malware for the infection can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/24372\r\nhttps://isc.sans.edu/diary/24372\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://isc.sans.edu/diary/24372"
	],
	"report_names": [
		"24372"
	],
	"threat_actors": [],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7b5a51bd8eda27a92786b06e84862643c799102.pdf",
		"text": "https://archive.orkl.eu/c7b5a51bd8eda27a92786b06e84862643c799102.txt",
		"img": "https://archive.orkl.eu/c7b5a51bd8eda27a92786b06e84862643c799102.jpg"
	}
}