Overview

overview

10

Static

static

ORDER.exe

windows7_x64

10

ORDER.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d72302d2da4c00d4e1bde3e6189c873744c8208deabfa5c7979f52b25611bd3b

  • Size

    184KB

  • Sample

    220521-psa2vsfhe9

  • MD5

    21563e8dfa2e0c181fe8008ea1171390

  • SHA1

    00ff54059253bca5883fd9df8b7069c36ece4d0a

  • SHA256

    d72302d2da4c00d4e1bde3e6189c873744c8208deabfa5c7979f52b25611bd3b

  • SHA512

    5192ed9c3f470d21180ddd89239b78de21da67175b2c10324fb122c315ac731e526afc854510a6e6d773e09a3d6955dc1fb516dd1c845620afb6f9a1a42217c4

Score
10/10
lokibotcollectionrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://siiigroup.com/blue/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ORDER.exe

    • Size

      238KB

    • MD5

      671b27a27e1600b1fd60ac5d3d8d7c2a

    • SHA1

      27960035610e4b377952354658f1ea569272a907

    • SHA256

      8f1241270e8d6833a48656b7f5507d58f974fe0fb9ae323d13725e30b0841c59

    • SHA512

      e0c5be3f468e3cb9b7a06dd20898acc43b198458e584ebc337208406928f22b3cb91aad7c5c86d1075a02adfe943a02dafab3646e71132383e2872980adef0b5

    Score
    10/10
    lokibotcollectionrezer0spywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks