Malspam pushing Lokibot malware - SANS Internet Storm Center
By SANS Internet Storm Center
Archived: 2026-04-05 14:25:10 UTC
Introduction
I've frequently seen malicious spam pushing Lokibot (also spelled "Loki-Bot") since 2017.  This year, I've written
diaries about it in February 2018 and June 2018.  I most recently posted an example to my blog on 2018-11-26. 
This type of malicious spam shows no signs of stopping, so here's a quick diary covering an example from
Monday 2018-12-03.
The email
Templates for malicious spam pushing Lokibot vary, and the example from Monday 2018-12-03 was disguised as
a purchase quotation.  The email contained an Excel spreadsheet with a macro designed to infect vulnerable
Windows hosts with Lokibot malware.  Potential victims need to click through warnings, so this is not an
especially stealthy method of infection.
https://isc.sans.edu/diary/24372
Page 1 of 6

Shown above:  Screenshot of the email with an attached Excel spreadsheet.
Infection traffic
A macro from the Excel spreadsheet retrieved Lokibot malware using HTTPS from a URL at a.doko[.]moe.  I
used Fiddler to monitor the HTTPS traffic and determine the URL.  The HTTPS request to a.doko[.]moe had no
User-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent
line from your HTTPS request.
https://isc.sans.edu/diary/24372
Page 2 of 6

Shown above:  Traffic from the infection filtered in Wireshark.
Shown above:  Using curl to retrieve the Lokibot malware binary from a.doko[.]moe.
Shown above:  Post-infection traffic from the Lokibot-infected Windows host.
Forensics on the infected host
https://isc.sans.edu/diary/24372
Page 3 of 6

The infected Windows host made Lokibot persistent through a Windows registry update.  This registry update was
quite similar to previous Lokibot infections I've generated in my lab environment.  In this example, the infected
host also had a VBS file in the Windows menu Startup folder.  This pointed to another copy of the Lokibot
malware executable; however, that executable had deleted itself during the infection.  The only existing Lokibot
executable was in the directory path listed in the associated Windows registry entry.
Shown above:  Windows registry update to keep Lokibot persistent.
https://isc.sans.edu/diary/24372
Page 4 of 6

Shown above:  VBS file in the Startup menu folder specifying a location where the malware had deleted itself.
Indicators
The following are indicators from an infected Windows host.  Any URLs, IP addresses, and domain names have
been "de-fanged" to avoid any issues when viewing today's diary.
Traffic from an infected windows host:
185.83.215[.]3 port 443 - a.doko[.]moe - GET /tkencn.jpg   (encrypted HTTPS traffic)
199.192.27[.]109 port 80 - decvit[.]ga - POST /and/cat.php
Malware from an infected windows host:
SHA256 hash:  58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8
File size:  853,504 bytes
File name:  62509871.xls
File description:  Attached Excel spreadsheet with macro to retrieve Lokibot
SHA256 hash:  b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e
File size:  853,504 bytes
File location:  hxxps://a.doko[.]moe/tkencn.jpg
File location:  C:\Users\[username]\AppData\Roaming\44631D\D1B132.exe
File location:  C:\Users\[username]\AppData\Roaming\sticik\stickiy.exe   (deleted itself during the
infection)
https://isc.sans.edu/diary/24372
Page 5 of 6

File description:  Lokibot malware binary
Final words
Email, pcap, and malware for the infection can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Source: https://isc.sans.edu/diary/24372
https://isc.sans.edu/diary/24372
Page 6 of 6