General
-
Target
Trail order and company profile.xlsx
-
Size
229KB
-
Sample
211207-nl6phsbge7
-
MD5
77c3c23bc20a83593171169e25685fe2
-
SHA1
8c32fddb93ff0c85e010ca87807898816214ef7a
-
SHA256
e7629c10d98b4f80232ed640a2232269bcd8a727b78f3c01dfc86a058ddffe8c
-
SHA512
bdf79abda2ce2896d88b5934e56a3c7e5f680d01c41ea3e5ab6f628cb9b0bdd2a8faa9ca35cc3bb80af54c9ef5ec3b3c5fbf236ca73354456e009e2df2f5b115
Malware Config
Extracted
lokibot
http://lkk2.xyz/ddcontact/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Trail order and company profile.xlsx
-
Size
229KB
-
MD5
77c3c23bc20a83593171169e25685fe2
-
SHA1
8c32fddb93ff0c85e010ca87807898816214ef7a
-
SHA256
e7629c10d98b4f80232ed640a2232269bcd8a727b78f3c01dfc86a058ddffe8c
-
SHA512
bdf79abda2ce2896d88b5934e56a3c7e5f680d01c41ea3e5ab6f628cb9b0bdd2a8faa9ca35cc3bb80af54c9ef5ec3b3c5fbf236ca73354456e009e2df2f5b115
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-