Quotation For Products.doc

General
Target

Quotation For Products.doc

Size

416KB

Sample

210611-7md4c7mlqx

Score
10 /10
MD5

3a99afd85fb1e4bda80f0a8bb2476616

SHA1

2398d29a7cd49968a3ea037821cf864579f20ce8

SHA256

2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f

SHA512

066b74b5a80ac126e71ec4be063f8a3aefd668bbda0f766821c660f961b71ec011c243da1eb3d5fa737e8d39bdeb81ceb190045e2777c14115f4e5cabc502022

Malware Config

Extracted

Language ps1
Source
URLs
exe.dropper

http://31.210.20.45/1xBet/dgeApp17.exe

Extracted

Family lokibot
C2

http://209.141.34.39/cap-01/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

Quotation For Products.doc

MD5

3a99afd85fb1e4bda80f0a8bb2476616

Filesize

416KB

Score
10 /10
SHA1

2398d29a7cd49968a3ea037821cf864579f20ce8

SHA256

2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f

SHA512

066b74b5a80ac126e71ec4be063f8a3aefd668bbda0f766821c660f961b71ec011c243da1eb3d5fa737e8d39bdeb81ceb190045e2777c14115f4e5cabc502022

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10