General
-
Target
Citate-1_2022-02-22_10-56.xlsx
-
Size
186KB
-
Sample
220223-qsjjnsbfbm
-
MD5
50ec47d421db7fdbe536cbe1e3da08e1
-
SHA1
e5073e9cd75af5f085b693a223e9d6f7aa80effd
-
SHA256
723ec9f9adec4d73a61d585531c7bc06d3b10ea246828b44cdd97a3c9aaeb6d5
-
SHA512
724d06132d499a53c8b52987c48ec0707034eaf8fd60acfea4232959fda2bd74eb1389a381e33a62e0466fd27911e61ed39bfcf604c552ba3c073cb9a07c20f0
Malware Config
Extracted
lokibot
http://164.90.194.235/?id=22044231991792986
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Citate-1_2022-02-22_10-56.xlsx
-
Size
186KB
-
MD5
50ec47d421db7fdbe536cbe1e3da08e1
-
SHA1
e5073e9cd75af5f085b693a223e9d6f7aa80effd
-
SHA256
723ec9f9adec4d73a61d585531c7bc06d3b10ea246828b44cdd97a3c9aaeb6d5
-
SHA512
724d06132d499a53c8b52987c48ec0707034eaf8fd60acfea4232959fda2bd74eb1389a381e33a62e0466fd27911e61ed39bfcf604c552ba3c073cb9a07c20f0
Score10/10-
Detect Neshta Payload
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-