General

  • Target

    83caf8c3bb6dad10656c6452d070a17e71a030cb.docx

  • Size

    10KB

  • Sample

    210624-dy5knfajqj

  • MD5

    9e7b6d8be08b8b2557cb87a90cd931b9

  • SHA1

    83caf8c3bb6dad10656c6452d070a17e71a030cb

  • SHA256

    e003fb7de75319cb0d30397adbf89bef53d8ccd44af2e9813c219b2571bad2d2

  • SHA512

    31d563862adc199c0bcba52325264502e357a6e786835d3865ad916adb3ecb5cf3271b63d4e45a6becfe2521fc6abfa637f02cc76729ac9e2c28dc04c5ac3fdf

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://itsssl.com/rzuDW

Extracted

Family

lokibot

C2

http://manvim.co/fd6/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      83caf8c3bb6dad10656c6452d070a17e71a030cb.docx

    • Size

      10KB

    • MD5

      9e7b6d8be08b8b2557cb87a90cd931b9

    • SHA1

      83caf8c3bb6dad10656c6452d070a17e71a030cb

    • SHA256

      e003fb7de75319cb0d30397adbf89bef53d8ccd44af2e9813c219b2571bad2d2

    • SHA512

      31d563862adc199c0bcba52325264502e357a6e786835d3865ad916adb3ecb5cf3271b63d4e45a6becfe2521fc6abfa637f02cc76729ac9e2c28dc04c5ac3fdf

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks