General

  • Target

    Overdue_Invoice_2300492100_2300492101.xlsx

  • Size

    2.3MB

  • Sample

    210115-te5b33f452

  • MD5

    d6bd4c2dbc112f42cf92bf59bd6aa1be

  • SHA1

    f4947e410c7728dffe063ba7a1962862887bd85f

  • SHA256

    bf2d74b1311d22739fa9ed518fd0a742e3304675863acba687cc4a10f1a1a010

  • SHA512

    c66b1c3380f15c3ef41af11c44a204455c60a84b10cb55ae58f9f659f56ff7f5ecf62aa6ea4812d887402c1747946de77a6dd872fdc59283fb6214c63eebf800

Malware Config

Extracted

Family

lokibot

C2

http://lmpulsefashion.net/chief/kev/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Overdue_Invoice_2300492100_2300492101.xlsx

    • Size

      2.3MB

    • MD5

      d6bd4c2dbc112f42cf92bf59bd6aa1be

    • SHA1

      f4947e410c7728dffe063ba7a1962862887bd85f

    • SHA256

      bf2d74b1311d22739fa9ed518fd0a742e3304675863acba687cc4a10f1a1a010

    • SHA512

      c66b1c3380f15c3ef41af11c44a204455c60a84b10cb55ae58f9f659f56ff7f5ecf62aa6ea4812d887402c1747946de77a6dd872fdc59283fb6214c63eebf800

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks