Overview

overview

10

Static

static

PRJ No. PG...cs.exe

windows7_x64

10

PRJ No. PG...cs.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PRJ No. PG6432 KHE SHELL-RFQ-Project Documents & specs.exe

  • Size

    444KB

  • Sample

    210426-eqcy955j36

  • MD5

    75af2c38b49bb7a98e001725edf88559

  • SHA1

    6f48f3e6d4d1c3d49a2f6a70fa707315ec9fcebc

  • SHA256

    a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5

  • SHA512

    d8b603a8e4210d70898a8a6665667ebb5e35131e952078fa36f4bbd26cd0810d65639339f30b2b7406c61edd5876e3e581b467b3f1d203f30bfafa8ee1e6e377

Score
10/10
lokibotagilenetspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.168.140.79/ghost/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PRJ No. PG6432 KHE SHELL-RFQ-Project Documents & specs.exe

    • Size

      444KB

    • MD5

      75af2c38b49bb7a98e001725edf88559

    • SHA1

      6f48f3e6d4d1c3d49a2f6a70fa707315ec9fcebc

    • SHA256

      a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5

    • SHA512

      d8b603a8e4210d70898a8a6665667ebb5e35131e952078fa36f4bbd26cd0810d65639339f30b2b7406c61edd5876e3e581b467b3f1d203f30bfafa8ee1e6e377

    Score
    10/10
    lokibotagilenetspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks