General
-
Target
SPQTN-5979S22R1.PDF.zip
-
Size
422KB
-
Sample
220704-kbvmqaffej
-
MD5
20e799a31d903c6d0873eaad9a78fb8e
-
SHA1
ba943cacfe1a4e22441f05f0d1e524c13973b8f8
-
SHA256
046cd0e3dc649d6768baee1d3134f70beee73cf1c0cbee8f5aed935d5441e613
-
SHA512
c1263996447c2876e756b93cef545f13faf31fede036d0b0a7c1626c4d9eed9e28bd326245318e089c3e6ac255a1c0e7d0f03066aa4896578b86418fd3d50212
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=13358169096816438
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SPQTN-5979S22R1.PDF.exe
-
Size
468KB
-
MD5
d97461db9f43b9e313e3d1d2b839d185
-
SHA1
1f2bdbbb34c3c6cbbc2e63b6130564d8cc907223
-
SHA256
f93b9a807162892140b00e569b52e23a984ade57524a9c16710c0f89513f7f1c
-
SHA512
3568596690b5383cea5234df8f013141f23e0dc5fc43d2a78829e81963fc3f6c336cca8faa31109efb7ee41bc97eeb114c790ebbb9236e73cc59863b781f78a9
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-