General

  • Target

    $90,000 MT103 Copy.docx

  • Size

    10KB

  • Sample

    210611-e7jqhy4hga

  • MD5

    0b52bc56b02374eb2752ae31d14c7372

  • SHA1

    636aa83cedf2db41010e6416bf621c0c89aff45e

  • SHA256

    761634c516d4a83a8745f99c197272c4e9a9473344c68c5c53397e4e2aff567f

  • SHA512

    f8f2bf2594b4794d3811be34921e8dea10ce3bc90c5ad71855aa48d4a3a4bebff43531392bf7036326ac5043dca3c67214c8407fa3aaafc99286a245b021d0e0

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://xy2.eu/e8ar

Extracted

Family

lokibot

C2

http://eyecos.ga/kung/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      $90,000 MT103 Copy.docx

    • Size

      10KB

    • MD5

      0b52bc56b02374eb2752ae31d14c7372

    • SHA1

      636aa83cedf2db41010e6416bf621c0c89aff45e

    • SHA256

      761634c516d4a83a8745f99c197272c4e9a9473344c68c5c53397e4e2aff567f

    • SHA512

      f8f2bf2594b4794d3811be34921e8dea10ce3bc90c5ad71855aa48d4a3a4bebff43531392bf7036326ac5043dca3c67214c8407fa3aaafc99286a245b021d0e0

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks