Overview

overview

10

Static

static

TF1708291.exe

windows7_x64

10

TF1708291.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41c2f90936b34924eb72998db1f19590441fb9521caec872fdf96d4f56b81359

  • Size

    960KB

  • Sample

    220521-w7gxaaedbk

  • MD5

    c94d65d6a9d86a83f492b464384387fc

  • SHA1

    30e8c4a3c864390169e740c35b92019edb197810

  • SHA256

    41c2f90936b34924eb72998db1f19590441fb9521caec872fdf96d4f56b81359

  • SHA512

    05045e99d0f379710b1e1ade2ddc0140d344fe541afb9c120b567afe0c7cd1abe33b96ba584721f78712438644d628b23bdf7feb25426ef4415a6212ef6bd4c9

Score
10/10
lokibotmodiloadercollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://japosinks.duckdns.org/collates/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      TF1708291.exe

    • Size

      1.1MB

    • MD5

      d305eeaa9cf297eceb16c018fdc6b4e7

    • SHA1

      a2b5e684938f7a3393993f7188c63299f00c86c8

    • SHA256

      9bb1a92bc0f71772f7a57b22fa9a62b2147243d9c1387cf5767d7dea516c37ca

    • SHA512

      9d3fb8e4dde4e8e8dd3a711a48c700cd4a8233833c109b7076939b4e3dc30dc39d699cab77e643baaeb0216a0e437f018c83512b8460f0146de9b445df24b0fd

    Score
    10/10
    lokibotmodiloadercollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ModiLoader First Stage

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks