2018-11-26 - INFECTION FROM MALSPAM PUSHING LOKIBOT

ASSOCIATED FILES:

  • 2018-11-26-Lokibot-malspam-0654-UTC.eml   (458,848 bytes)
  • 2018-11-26-Lokibot-infection-traffic.pcap   (8,218 bytes)
  • 2018-11-26-Lokibot-extracted-from-attached-archive.exe   (1,111,864 bytes)
  • 2018-11-26-archive-file-attached-to-malspam.zip   (336,998 bytes)

NOTES:

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest anything to the following domain:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Following the TCP stream from an HTTP request in the post-infection traffic.

 

INFECTION TRAFFIC:

 

MALWARE

EMAIL ATTACHMENT (ZIP ARCHIVE):

EXTRACTED LOKIBOT MALWARE:

 


Shown above:  Windows registry update to keep the Lokibot infection persistent.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.