General

  • Target

    Quotation.xlsx

  • Size

    1.2MB

  • Sample

    210728-2kdn9cqrke

  • MD5

    7d4d448a7d403b6d949868b89edc010d

  • SHA1

    99c431853b504296c448035ba44d38426572063a

  • SHA256

    e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082

  • SHA512

    56e71a502ab779eda9615f3b594d6384dc8397816fc6a04b3278dbc9b51fb14f50a00ba662f9bf88cf297ee9e0a78f6a1171fdf4d4b9d7f93e06560e32f31ee9

Malware Config

Extracted

Family

lokibot

C2

http://manvim.co/fd14/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Quotation.xlsx

    • Size

      1.2MB

    • MD5

      7d4d448a7d403b6d949868b89edc010d

    • SHA1

      99c431853b504296c448035ba44d38426572063a

    • SHA256

      e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082

    • SHA512

      56e71a502ab779eda9615f3b594d6384dc8397816fc6a04b3278dbc9b51fb14f50a00ba662f9bf88cf297ee9e0a78f6a1171fdf4d4b9d7f93e06560e32f31ee9

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks