General

  • Target

    RFQ-EB200-PLOO1_Bidding.pdf.exe

  • Size

    427KB

  • Sample

    210503-napamy3as2

  • MD5

    56bd48b55b18b3b9322d394029e5311c

  • SHA1

    564712776b933e50599e21a7712f67f4bf5bf148

  • SHA256

    6bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f

  • SHA512

    f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06

Malware Config

Extracted

Family

lokibot

C2

http://104.168.175.179/ghost1/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      RFQ-EB200-PLOO1_Bidding.pdf.exe

    • Size

      427KB

    • MD5

      56bd48b55b18b3b9322d394029e5311c

    • SHA1

      564712776b933e50599e21a7712f67f4bf5bf148

    • SHA256

      6bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f

    • SHA512

      f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks