Overview

overview

10

Static

static

PO_068_2.exe

windows7_x64

10

PO_068_2.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7cf77d3b4c3585318c522bc950d7d7236614121ce125e33cd6b7a3602d9cb7b3

  • Size

    1.2MB

  • Sample

    220121-3mg5wadbh6

  • MD5

    64d09508c2399e759043ecb4f721a2c1

  • SHA1

    4cc5c2ea24c4e730ce60aba99e7532e3e8ac68c2

  • SHA256

    7cf77d3b4c3585318c522bc950d7d7236614121ce125e33cd6b7a3602d9cb7b3

  • SHA512

    7e2d89da062a77af2a1b2c7fe7a8585988e6b1fc44ee1a3a7882be687c22e51c5a4b67a121de1ada6b25ff4ef772a5a8981f4e99283c327d876079a773e6a7aa

Score
10/10
lokibotagilenetcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://nl5329.ir/nrc1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PO_068_2.EXE

    • Size

      277KB

    • MD5

      70b33a850d27cfe19ec6598e19adcff5

    • SHA1

      3c9e9c38583991b31d24003cdf7e87ebb6301034

    • SHA256

      25b408ddee9e9b046cf94203cec4f56dd30734ccd3355c279b1142af087d149c

    • SHA512

      42d2b1e23fa2bf285300090099287d7ab0ba977d25ac0ff67d6f4fc731524402b8409f9ac6cdf877fac3cd9d37bdcbecc74ba69e0cb375441cadebdaf09b53fa

    Score
    10/10
    lokibotagilenetcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks