General
-
Target
tmp/170f5e25c6bc984209804a3a78cbfe892e3546e6831a49c6e09a3193ec8b2a2c.xls
-
Size
228KB
-
Sample
211206-jzaf1sdefr
-
MD5
7886cd797567b46cf9ee995211360990
-
SHA1
7a934fad9c753d1aed8d57bbd2c3f4db72f21d00
-
SHA256
170f5e25c6bc984209804a3a78cbfe892e3546e6831a49c6e09a3193ec8b2a2c
-
SHA512
4753530935ffcd28866ac90e90d3bd138124690f6f1fd1de9c9100ff13664c0a42a4875bf4f5aaee19770481dade773167b917943a5c81ffb2de9e00fc285551
Malware Config
Extracted
lokibot
http://hdmibonquet.ir/oluwa/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
tmp/170f5e25c6bc984209804a3a78cbfe892e3546e6831a49c6e09a3193ec8b2a2c.xls
-
Size
228KB
-
MD5
7886cd797567b46cf9ee995211360990
-
SHA1
7a934fad9c753d1aed8d57bbd2c3f4db72f21d00
-
SHA256
170f5e25c6bc984209804a3a78cbfe892e3546e6831a49c6e09a3193ec8b2a2c
-
SHA512
4753530935ffcd28866ac90e90d3bd138124690f6f1fd1de9c9100ff13664c0a42a4875bf4f5aaee19770481dade773167b917943a5c81ffb2de9e00fc285551
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-