Bank Details.xlsx

General
Target

Bank Details.xlsx

Size

327KB

Sample

211014-gakvcagcd8

Score
10 /10
MD5

1cdbd552294df147d59c7098ce40584d

SHA1

665ce5496ea7db7e44c01f6b6f448765d75e989f

SHA256

c19f592d9185040912a2901fdd4910ff4ebfd6c6b6ac3b41a1153d93828b1841

SHA512

ce4546f66e9c718ec270d2798add97581127d06232b424f74e1ef17e4b6af2c98c14092d4d2e5ee4fa31bbccfb1b1c57ae90ed5c26aca276b68b2d473feca877

Malware Config

Extracted

Family lokibot
C2

http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

Bank Details.xlsx

MD5

1cdbd552294df147d59c7098ce40584d

Filesize

327KB

Score
10 /10
SHA1

665ce5496ea7db7e44c01f6b6f448765d75e989f

SHA256

c19f592d9185040912a2901fdd4910ff4ebfd6c6b6ac3b41a1153d93828b1841

SHA512

ce4546f66e9c718ec270d2798add97581127d06232b424f74e1ef17e4b6af2c98c14092d4d2e5ee4fa31bbccfb1b1c57ae90ed5c26aca276b68b2d473feca877

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Persistence
              Privilege Escalation
                Tasks

                static1

                behavioral2

                1/10