Overview

overview

10

Static

static

M.V. OMNI TIGRIS.xlsx

windows7_x64

10

M.V. OMNI TIGRIS.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    M.V. OMNI TIGRIS.xlsx

  • Size

    2.4MB

  • Sample

    210422-7wbswehgls

  • MD5

    f2b5bbd42400e7c4b181d99ab1e75d92

  • SHA1

    84054fced977eb7e9d2cd5675286b364e6b7d56d

  • SHA256

    da60cfcd432612818f35da7974929c8c1eb1226be19b84bd319dcaddc1f9cf03

  • SHA512

    9d2eaac66c7f6cf4286c55316ad0f4e096b49dcc4f1e35699cf6e47ab6c51421fd74dbb26f79c8835865c5b8315b5f30101c4155f9ad1f06be97184e8500a15a

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://amrp.tw/clue/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      M.V. OMNI TIGRIS.xlsx

    • Size

      2.4MB

    • MD5

      f2b5bbd42400e7c4b181d99ab1e75d92

    • SHA1

      84054fced977eb7e9d2cd5675286b364e6b7d56d

    • SHA256

      da60cfcd432612818f35da7974929c8c1eb1226be19b84bd319dcaddc1f9cf03

    • SHA512

      9d2eaac66c7f6cf4286c55316ad0f4e096b49dcc4f1e35699cf6e47ab6c51421fd74dbb26f79c8835865c5b8315b5f30101c4155f9ad1f06be97184e8500a15a

    Score
    10/10
    lokibotspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks