2019-01-03 - MALSPAM PUSHES LOKIBOT

ASSOCIATED FILES:

 


Shown above:  Flow chart for today's Lokibot malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic related to this malware, I suggest the following domain:

 

HEADERS FROM A MALSPAM EXAMPLE


Shown above:  Screenshot from the malspam.

 

Received: from vl23445.dns-privadas.es (gestion.geydes.es [212.48.86.207])
        by
[removed]; Thu, 20 Dec 2018 16:13:53 +0100
        (envelope-from <proc400@khusheim.com>)
Received: from webmail.ngfsl.com (vl23445.dns-privadas.es [IPv6:::1])
        by vl23445.dns-privadas.es (Postfix) with ESMTPA id 307DDD0A14BD;
        Thu, 3 Jan 2019 02:34:50 +0100 (CET)
Authentication-Results: vl23445;
        spf=pass (sender IP is ::1) smtp.mailfrom=proc400@khusheim.com
        smtp.helo=webmail.ngfsl.com
Received-SPF: pass (vl23445: connection is authenticated)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="=_908c3a0142246c9184cbaa1f9a7ceda7"
Date: Thu, 03 Jan 2019 01:34 UTC
From: khusheim <proc400@khusheim.com>
To:
[removed]
Subject: RFQ#5500177966
In-Reply-To: <f779b6fd830934e37b882e11047154aa@khusheim.com>
References: <f779b6fd830934e37b882e11047154aa@khusheim.com>
Message-ID: <ff6063b0522c32d4d90d9264a732fadb@khusheim.com>
X-Sender: proc400@khusheim.com
User-Agent: Roundcube Webmail/1.2.7
X-PPP-Message-ID: <20190103013450.8963.7962@vl23445.dns-privadas.es>
X-PPP-Vhost: ngfsl.com

 


Shown above:  Extracting Lokibot malware from the attached RAR archive.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  TCP stream of the first HTTP request caused by Lokibot.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FILE HASHES

MALWARE FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Lokibot EXE copied itself to a newly-created folder under the user's AppData\Roaming directory as it idled 5 to 10 minutes.

 


Shown above:  The Lokibot EXE then moved itself to another newly-created folder under the user's AppData\Roaming directory and started its post-infection traffic.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.