General

  • Target

    RFQ-EB200-PLOO1_Bidding.pdf.exe

  • Size

    428KB

  • Sample

    210503-ffd5q1lwhx

  • MD5

    0b1c21615413f0177e744c3085ff4316

  • SHA1

    50d5ec35d24a91d0f374d52b4074ff4683808b05

  • SHA256

    2c79441587c24d3a87a2fb4ce636bbb2213853dcaa4d8cadcf5613c56d0df3b2

  • SHA512

    7efd643cb83c53e61bd8882e986d4c4c0d8ac58d28167d2f8784440b2069c8a0792720a532e7e266e4d24502ef495386f544c4c2f0e9a64685254a4c7e6dbdb4

Malware Config

Extracted

Family

lokibot

C2

http://104.168.175.179/ghost1/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      RFQ-EB200-PLOO1_Bidding.pdf.exe

    • Size

      428KB

    • MD5

      0b1c21615413f0177e744c3085ff4316

    • SHA1

      50d5ec35d24a91d0f374d52b4074ff4683808b05

    • SHA256

      2c79441587c24d3a87a2fb4ce636bbb2213853dcaa4d8cadcf5613c56d0df3b2

    • SHA512

      7efd643cb83c53e61bd8882e986d4c4c0d8ac58d28167d2f8784440b2069c8a0792720a532e7e266e4d24502ef495386f544c4c2f0e9a64685254a4c7e6dbdb4

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks