Overview

overview

10

Static

static

RFQ-IOCL-P...01.exe

windows7_x64

10

RFQ-IOCL-P...01.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ-IOCL-PP-IN-301.exe

  • Size

    537KB

  • Sample

    210503-ycxyelfk5j

  • MD5

    28e20b5b3364fd35e295e55739159f55

  • SHA1

    2889f9100a67cf9897f3d2a3008faae0d21c1380

  • SHA256

    df07fc647c48c2ffeed6649fd82dd9ea0c51a0157f397b625bc4cc54f1609ee1

  • SHA512

    0cf6094bf41a999b1c4318789e2d952ca4e6b5e93efe5a0a3b146c369a6fb427a2a8e5ca005b1b49d281567cd9af44106e4f058f847501d73c9b809faf655bf8

Score
10/10
lokibotagilenetspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.168.175.179/ghost/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      RFQ-IOCL-PP-IN-301.exe

    • Size

      537KB

    • MD5

      28e20b5b3364fd35e295e55739159f55

    • SHA1

      2889f9100a67cf9897f3d2a3008faae0d21c1380

    • SHA256

      df07fc647c48c2ffeed6649fd82dd9ea0c51a0157f397b625bc4cc54f1609ee1

    • SHA512

      0cf6094bf41a999b1c4318789e2d952ca4e6b5e93efe5a0a3b146c369a6fb427a2a8e5ca005b1b49d281567cd9af44106e4f058f847501d73c9b809faf655bf8

    Score
    10/10
    lokibotagilenetspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks