Overview

overview

10

Static

static

10

Purchase O...1.docx

windows7_x64

7

Purchase O...1.docx

windows7_x64

10

Purchase O...1.docx

windows11_x64

8

Purchase O...1.docx

windows10_x64

1

Purchase O...1.docx

windows10_x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order # PO211021-01.docx

  • Size

    10KB

  • Sample

    211022-csyrpsbhfl

  • MD5

    1b5c8e1ab3d91e363526c423f961c01f

  • SHA1

    a2e06479ad17e518d180896fd458f4523741540d

  • SHA256

    517af664cfadc897195445bd52929627257460831a2386df0bf2b064fa502c71

  • SHA512

    2725420b6313f55c1a5fca465a16002b0ebf02d76b382daa552b3c3f0fba80eebbf47692fe29e1077fac277125d68d0fdf0441397a288914e914dc8fbc071562

Score
10/10
lokibotcollectionpersistencespywarestealersuricatatrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://shortclick.com/l

Extracted

Family

lokibot

C2

http://secure01-redirect.net/ga13/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Purchase Order # PO211021-01.docx

    • Size

      10KB

    • MD5

      1b5c8e1ab3d91e363526c423f961c01f

    • SHA1

      a2e06479ad17e518d180896fd458f4523741540d

    • SHA256

      517af664cfadc897195445bd52929627257460831a2386df0bf2b064fa502c71

    • SHA512

      2725420b6313f55c1a5fca465a16002b0ebf02d76b382daa552b3c3f0fba80eebbf47692fe29e1077fac277125d68d0fdf0441397a288914e914dc8fbc071562

    Score
    10/10
    lokibotcollectionspywarestealersuricatatrojanpersistence

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks