General
-
Target
Quotation For Products.doc
-
Size
416KB
-
Sample
210611-7md4c7mlqx
-
MD5
3a99afd85fb1e4bda80f0a8bb2476616
-
SHA1
2398d29a7cd49968a3ea037821cf864579f20ce8
-
SHA256
2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f
-
SHA512
066b74b5a80ac126e71ec4be063f8a3aefd668bbda0f766821c660f961b71ec011c243da1eb3d5fa737e8d39bdeb81ceb190045e2777c14115f4e5cabc502022
Malware Config
Extracted
http://31.210.20.45/1xBet/dgeApp17.exe
Extracted
lokibot
http://209.141.34.39/cap-01/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Quotation For Products.doc
-
Size
416KB
-
MD5
3a99afd85fb1e4bda80f0a8bb2476616
-
SHA1
2398d29a7cd49968a3ea037821cf864579f20ce8
-
SHA256
2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f
-
SHA512
066b74b5a80ac126e71ec4be063f8a3aefd668bbda0f766821c660f961b71ec011c243da1eb3d5fa737e8d39bdeb81ceb190045e2777c14115f4e5cabc502022
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-