{
	"id": "33c5914f-1adc-49d8-9924-5341384861e8",
	"created_at": "2026-04-06T00:18:31.245691Z",
	"updated_at": "2026-04-12T02:21:17.907138Z",
	"deleted_at": null,
	"sha1_hash": "d6d1e11c6c61a6053a16dca901a2b3ce291a025f",
	"title": "Malware-Traffic-Analysis.net - 2017-06-12 - Lokibot infection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 947987,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-06-12 - Lokibot infection\r\nArchived: 2026-04-05 17:23:36 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-06-12-Lokibot-infection-traffic.pcap.zip   2.5 kB (2,545 bytes)\r\n2017-06-12-Lokibot-infection-traffic.pcap   (9,334 bytes)\r\n2017-06-12-Lokibot-email-and-malware.zip   486.0 kB (485,984 bytes)\r\n2017-06-12-Lokibot-malspam-0137-UTC.eml   (213,873 bytes)\r\nPO12062017.ace   (157,430 bytes)\r\nPO12062017.exe   (327,680 bytes)\r\nNOTES:\r\nSomewhat similar to the Lokibot activity I documented last week on 2017-06-07\r\nToday the email had an attached zip archive containing was a Word document with an embedded .js file\r\nthat downloaded Lokibot.\r\nThis time it was an ACE archive attachment that contained the Windows EXE for Lokibot.\r\nEMAILS\r\nhttp://www.malware-traffic-analysis.net/2017/06/12/index.html\r\nPage 1 of 4\n\nShown above:  Screen shot from the email.\r\nEMAIL HEADERS:\r\nDate:  Monday 2017-06-12 at 01:37 UTC\r\nFrom:  \"Amina Diab\" \u003cdxboman@emirates[.]net[.]ae\u003e\r\nSubject:  Re: PURCHASE ORDER 457211\r\nAttachment:  PO12062017.ace\r\nhttp://www.malware-traffic-analysis.net/2017/06/12/index.html\r\nPage 2 of 4\n\nShown above:  Malicious executable in ACE archive from the malspam.\r\nTRAFFIC\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nASSOCIATED DOMAINS:\r\n192.99.2[.]94 port 80 - 192.99.2[.]94 - POST /~sadrenam/mmt/Panel/five/fre.php\r\nFILE HASHES\r\nACE ARCHIVE FROM THE EMAIL:\r\nSHA256 hash:  42306a26580cf29068f1a716aaa61d1a4921b2206f3e8234d86d6fcc607d7be8\r\nFile size:  157,430 bytes\r\nFile name:  PO12062017.ace\r\nMALICIOUS BINARY EXTRACTED FROM THE ACE ARCHIVE (LOKI BOT):\r\nhttp://www.malware-traffic-analysis.net/2017/06/12/index.html\r\nPage 3 of 4\n\nSHA256 hash:  7e9c05cff0e0ac10640100c801c3f56470fb6166bbf4e67fa28c63af683458e4\r\nFile size:  327,680 bytes\r\nFile name:  PO12062017.exe\r\nFile location on the infected host:  C:\\Users\\[username]\\AppData\\Roaming\\[subfolder]\\[filename].exe\r\nADDITIONAL FILE NOTED ON THE INFECTED HOST:\r\nSHA256 hash:  121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\r\nFile location:  C:\\Users\\[username]\\AppData\\Roaming\\C72387\\7571BA.exe\r\nFile size:  20,992 bytes\r\nFile description:  Appears to be a copy of the legitimate Microsoft file svchost.exe\r\nIMAGES\r\nShown above:  Updated Windows registry with the same file as last time.\r\nClick here to return to the main page.\r\nSource: http://www.malware-traffic-analysis.net/2017/06/12/index.html\r\nhttp://www.malware-traffic-analysis.net/2017/06/12/index.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.malware-traffic-analysis.net/2017/06/12/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775960477,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6d1e11c6c61a6053a16dca901a2b3ce291a025f.pdf",
		"text": "https://archive.orkl.eu/d6d1e11c6c61a6053a16dca901a2b3ce291a025f.txt",
		"img": "https://archive.orkl.eu/d6d1e11c6c61a6053a16dca901a2b3ce291a025f.jpg"
	}
}