General
-
Target
RFQ- 1130001361.xlsx
-
Size
177KB
-
Sample
220704-jgdeysfchp
-
MD5
e2f71641342ac10c036c789a80660d12
-
SHA1
6b003f26d90c664b9fd7f4f472915bba10354a15
-
SHA256
eb38739c2fa7aaf54fbff0e1902aff7531855eaa086f58709374c8161181385e
-
SHA512
76108e07765a738dac85ba6ab3b9eba26929d979895c1ca5fdf9e664578d7ce6f2806528a56a7e5646c8e25ef0a9c2cee6e1bb2c0f96e086c6a7910b0b09c78b
Malware Config
Extracted
lokibot
http://62.197.136.176/health4/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://��������������З������Й���Й��я��
Targets
-
-
Target
RFQ- 1130001361.xlsx
-
Size
177KB
-
MD5
e2f71641342ac10c036c789a80660d12
-
SHA1
6b003f26d90c664b9fd7f4f472915bba10354a15
-
SHA256
eb38739c2fa7aaf54fbff0e1902aff7531855eaa086f58709374c8161181385e
-
SHA512
76108e07765a738dac85ba6ab3b9eba26929d979895c1ca5fdf9e664578d7ce6f2806528a56a7e5646c8e25ef0a9c2cee6e1bb2c0f96e086c6a7910b0b09c78b
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-