Overview

overview

10

Static

static

8

PL_017542000.doc

windows7_x64

10

PL_017542000.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PL_017542000.doc

  • Size

    467KB

  • Sample

    210511-95fy3g9l4e

  • MD5

    f4e2b625051dd9283bbec085e56d0ab1

  • SHA1

    118cae287ef1505bf04f75d5811c340ea01fa949

  • SHA256

    f6e0f11f26c59925ad1bd23c4dc586de71af0863d7273ad41a17efd92384167c

  • SHA512

    05b3d3e1181265359cd1264f3d9b07f5d04da696791877c98f5a9a437aba4e00b35e231c76b3f7a948fd5bf1794ca1d807a04b44a523ca378971986056b98c2b

Score
10/10
lokibotmacromacro_on_actionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://209.141.50.70/D3/13/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PL_017542000.doc

    • Size

      467KB

    • MD5

      f4e2b625051dd9283bbec085e56d0ab1

    • SHA1

      118cae287ef1505bf04f75d5811c340ea01fa949

    • SHA256

      f6e0f11f26c59925ad1bd23c4dc586de71af0863d7273ad41a17efd92384167c

    • SHA512

      05b3d3e1181265359cd1264f3d9b07f5d04da696791877c98f5a9a437aba4e00b35e231c76b3f7a948fd5bf1794ca1d807a04b44a523ca378971986056b98c2b

    Score
    10/10
    lokibotspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks