Malspam Delivers Loki-Bot

Originally posted at
Follow me on Twitter

I received some malspam on 03/22/18 that contained two .doc file attachments. The subject of the email was “Order 2018-048 & 049, Please Confirm”. The attached exploit documents were named similarly to the subject of the email, “PO2018-048.doc” and “PO 2018-049.doc”.

Below is an image of the email:


Both “PO2018-048.doc” and “PO 2018-049.doc” are RTF exploit documents.

An example of one of the files opened is shown below:

Word document

Opening either “PO2018-048.doc” or “PO 2018-049.doc” will cause the victim’s host to download the Loki-Bot payload from

Download of LokiBot payload

Remote IP Address: (
Remote Port: 80
Process Name: EQNEDT32.EXE
Process Path: C:Program FilesMicrosoft OfficeRootVFSProgramFilesCommonX86Microsoft SharedEQUATIONEQNEDT32.EXE

The file is downloaded to %TEMP% as RealTEKHD.exe and executed:


RealTEKHD.exe created file %APPDATA%MicrosoftWindowsStart MenuProgramsStartupDropboxInstaller.exe:


DropboxInstaller.exe writes to a start menu file %APPDATA%MicrosoftWindowsStart MenuProgramsStartupDropboxInstaller.Z9yRYh4jbeHJgNMR.lnk:

DropboxInstaller.exe created child process DropboxInstaller.exe, and the child process sends POST requests to the C2 server. The same child process also created B63C85.lck in %APPDATA%E2FBBB and then later deletes the file. The .lck file, which is named after characters 13 through 18 of the Bot GUID, is a lock file (created when decrypting Windows
creds or Keylogging) and is one of the four files that can be found in this hidden folder. The other files are the .exe (copy of the malware used for persistence), .hdb (database of hashes of data that has been ex-filtrated), and a .kdb file (database of keylogger data waiting to be sent to the C2).

The DropboxInstaller.exe child process moves and renames file %APPDATA%MicrosoftWindowsStart MenuProgramsStartupDropboxInstaller.exe to %APPDATA%E2FBBBB63C85.exe.

Hidden folder created in %APPDATA%:

hidden folder AppData

The folder is named after characters 8 through 13 of the Bot GUID. Furthermore, it contains a copy of the malware which has been named after characters 13 through 18 of the Bot GUID.

I ran the sample through another sandbox and the DropboxInstaller.exe child process created a key used for persistence at HKEY_CURRENT_USER. I don’t have a picture of the key to share with you but you can see an example of that at

More detailed information about the process tree and what changes are made to the file system and registry can be found in the Any.Run and Hybrid-Analysis reports that I’ve linked to in the hash section at the very bottom of this post.

The Bot GUID is created by grabbing the machine GUID from HKLMSOFTWAREMicrosoftCryptographyMachineGuid and generating an MD5 hash from the string. However, only the first 24 characters of the MD5 hash (total of 32 characters) signify the Bot GUID.

Example of Bot GUID:

Machine GUID string (lowercase): 9c3873bd-d616-4eb8-96c2-6aee0ecdf3dd
MD5 Hash: 6CD99ACE2FBBB63C852955B3C167AC07
Bot GUID: 6CD99ACE2FBBB63C852955B3

POST to C2:

POST Request

The Loki-Bot sample has a binary ID (Bin ID) of “”. According to what I could find, this binary ID is associated with the Russian hacking forum “fuckav[.]ru”. We also see the victim’s account name, computer name, and Bot GUID.

Loki-Bot C2 panel:

LokiBot C2 Panel

Graphs on data coming in (reports, FTP, HTTP, Other) over the last 24 hours, OS statistics by reports, and OS statistics by Bots:

Main Section - 1

More statistics:

Main Section - 2

Main SEC - 3

Main Section -4

Main Section -5

The Bots section shows the Bot GUID, Bin ID, IP address and country, PC information (computer name, account name, OS, screen resolution, number of reports collected), last time the bot was seen, and action (see commands):

BOTs Edited


Reports - 1

Other reports:

Reports - Other

HTTP reports:

Reports - HTTP

Example of a report:

Example of Report -1

Report options:

Example of Report


Bot Commands

  • Download & Run
  • Download & Load
  • Download & Drop
  • Remove Hash DB
  • Enable Keylogger
  • Shutdown Bot (Only Bot, not PC)
  • Update Bot
  • Update reconnect intervall
  • Uninstall Bot

Types of Commands

One thing to note, there are multiple Loki-Bot panels hosted on this server:

cPanel at


Additional Information:

Payloads hosted at * are even being named after the panel locations. For example, VT shows the following URLs hosted at

  • 2018-03-26: hxxp://office[.]erlivia[.]ltd/white.123
  • 2018-03-20: hxxp://office[.]erlivia[.]ltd/black.123
  • 2018-03-20: hxxp://office[.]erlivia[.]ltd/000.123

A full list can be seen HERE.

Subdomains that have a malicious history of their own:

Subdomains Resolution History and,, and and and,, and,, and

A blog post from Proofpoint on 03/23/18 shows hosting a document file that delivered Imminent Monitor RAT:

Below is the resolution history for

Resolution Location Network ASN First Seen Last Seen DE 24961 3/27/2018 3/30/2018 RO 48874 2/9/2018 3/27/2018 RO 48874 2/7/2018 2/8/2018 RO 48874 1/29/2018 2/7/2018 RO 48874 1/11/2018 1/27/2018 RO 48874 1/9/2018 1/10/2018 US 22612 12/5/2017 1/8/2018

VT history shows that some of these panels were once resolving to


Network IOCs

  • – – GET /white.123
  • – POST /white/fre.php – Loki-Bot C2
    • User-Agent String: Mozilla/4.08 (Charon; Inferno)

Additional IOCs

  • – POST /black/fre.php
  • – POST /000/fre.php
  • – POST /annonymous/fre.php
  • – POST /pal/fre.php


The password is “infected”.


  1. you are amazing. i’m in school for secops related stuff rn and i hope to come to your level one day, where i can sandbox an Exploit Kit and use it to figure the whole malwares path and plan out. great job 🙂



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: