Overview

overview

10

Static

static

New Order ...1.xlsx

windows7_x64

10

New Order ...1.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Order List 16092021.xlsx

  • Size

    590KB

  • Sample

    210915-gy5vesdadm

  • MD5

    4a1d13469a6c817242e8b567bf34ab9a

  • SHA1

    a0d54f6c1205defad5f31cadf3393880e7c4c862

  • SHA256

    65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c

  • SHA512

    a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8

Score
10/10
guloaderlokibotdownloaderspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://136.243.159.53/~element/page.php?id=475

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      New Order List 16092021.xlsx

    • Size

      590KB

    • MD5

      4a1d13469a6c817242e8b567bf34ab9a

    • SHA1

      a0d54f6c1205defad5f31cadf3393880e7c4c862

    • SHA256

      65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c

    • SHA512

      a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8

    Score
    10/10
    guloaderlokibotdownloaderspywarestealersuricatatrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks