General

  • Target

    eDo For SPL depot.pdf.exe

  • Size

    474KB

  • Sample

    210915-gs66asdacn

  • MD5

    b80d4a1fe22f55ce0e62385944adf7a5

  • SHA1

    226ab77c8cedbc84c0df95f8868f2f6d4a7bdb2b

  • SHA256

    751a3906ac87fa9b3fad2661ee0a9ae6c5f2d2553c67f02a9c92e8bd1151d910

  • SHA512

    365c7a60d38412e92f3b15892106509a27a21db61d35fbf28ba2973ca773b16a69bcbbcb18d919c4b0b650a3244fef9e15996089306bc2018be9360e92a4ed8c

Malware Config

Extracted

Family

lokibot

C2

http://136.243.159.53/~element/page.php?id=487

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      eDo For SPL depot.pdf.exe

    • Size

      474KB

    • MD5

      b80d4a1fe22f55ce0e62385944adf7a5

    • SHA1

      226ab77c8cedbc84c0df95f8868f2f6d4a7bdb2b

    • SHA256

      751a3906ac87fa9b3fad2661ee0a9ae6c5f2d2553c67f02a9c92e8bd1151d910

    • SHA512

      365c7a60d38412e92f3b15892106509a27a21db61d35fbf28ba2973ca773b16a69bcbbcb18d919c4b0b650a3244fef9e15996089306bc2018be9360e92a4ed8c

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks