General

  • Target

    Tax Receipts.xlsx

  • Size

    369KB

  • Sample

    211021-wlbhdabebj

  • MD5

    bfcb6ecc43e9babe0ec5c17079353890

  • SHA1

    e74276419e06d32ce456a8a44fe801ecd24fbfa4

  • SHA256

    fce258aaff67f1ebf4c69bf8f19d48771428a983ef9c2b8811664a40f3d80cbf

  • SHA512

    0340ae2f1901daf2298f81d2e56443b368bdbcf702f226543853b311c86f13ce310c804ce8b1135db607d5a9e39613c57aac0d0bc96b4e22a1300464214870d2

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=386869

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Tax Receipts.xlsx

    • Size

      369KB

    • MD5

      bfcb6ecc43e9babe0ec5c17079353890

    • SHA1

      e74276419e06d32ce456a8a44fe801ecd24fbfa4

    • SHA256

      fce258aaff67f1ebf4c69bf8f19d48771428a983ef9c2b8811664a40f3d80cbf

    • SHA512

      0340ae2f1901daf2298f81d2e56443b368bdbcf702f226543853b311c86f13ce310c804ce8b1135db607d5a9e39613c57aac0d0bc96b4e22a1300464214870d2

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks