Overview

overview

10

Static

static

rar.exe

windows7_x64

10

rar.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2f4122fed142c81e9f7fff4ed091012063c70b8b8c77a83b6dfe5a20dbff85bf

  • Size

    718KB

  • Sample

    220521-w7fzzsbah5

  • MD5

    e3cd19429642273c1b147246ddec3c30

  • SHA1

    98776947cdec0ae719c4e28b0ec65dc2593781b8

  • SHA256

    2f4122fed142c81e9f7fff4ed091012063c70b8b8c77a83b6dfe5a20dbff85bf

  • SHA512

    42782f4f74727b35791c88deb1f889e849307a9e1a2f0ced5ffda938908e20bd89bd4c50a5c9734c7da42cf5f6e71eeb2742986f79d0bb315f7af5bb7f1a5fbc

Score
10/10
lokibotmodiloadercollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://rarlab.gq/comic/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      rar.exe

    • Size

      838KB

    • MD5

      30c26f973e864ae0bb81942137176acb

    • SHA1

      ab42932e9e8bb05250369966bd2af44223db82a1

    • SHA256

      51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab

    • SHA512

      0ff5f5c3af3a8cd4b37fce61e2230e5889cbe42d956ab1c9b2273eb268aa1951f192ef342ff5d218cb5ebe2103d7fa88aba5d74d12a2c4eeaab8a7d9e7fbb98c

    Score
    10/10
    lokibotmodiloadercollectionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks