Overview

overview

10

Static

static

1092991 JB082.xlsx

windows7_x64

10

1092991 JB082.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1092991 JB082.xlsx

  • Size

    1.4MB

  • Sample

    210118-ljqvgt88xa

  • MD5

    30d056194fe01f23c8c2641efd5ac6a9

  • SHA1

    48f7b214956d66749cd837e1ba928ff4659154ac

  • SHA256

    e87cc5f8980e2d0195de7dbce6d4efa8b4fecec5eb1c169497a3bd191029c49e

  • SHA512

    de700d174f6817ac84eec3e232273b9da32b58b3288a30602949654d36acac8f92b5e74843623baa3f8759dd9a60844df4cb33d1b1bee083a660fd300568566b

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://okpana.com/chief/kev/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      1092991 JB082.xlsx

    • Size

      1.4MB

    • MD5

      30d056194fe01f23c8c2641efd5ac6a9

    • SHA1

      48f7b214956d66749cd837e1ba928ff4659154ac

    • SHA256

      e87cc5f8980e2d0195de7dbce6d4efa8b4fecec5eb1c169497a3bd191029c49e

    • SHA512

      de700d174f6817ac84eec3e232273b9da32b58b3288a30602949654d36acac8f92b5e74843623baa3f8759dd9a60844df4cb33d1b1bee083a660fd300568566b

    Score
    10/10
    lokibotspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks