General
-
Target
SHIPPING_DOCUMENT.xlsx
-
Size
176KB
-
Sample
220705-pea5psahc9
-
MD5
845a22ffc5d1c728a1b6b549c4562b91
-
SHA1
55d010a73c2e0ef0e1370c8d7cea8ed3e633673d
-
SHA256
3ff62073575daa14830510eab2aa7456e7f13ae4152e9d2c09ff41b5fbfee533
-
SHA512
21dd91910d1e8a3d29e437185f90332a0fe77e5e5513b69a68fa60d34117f2287f49d4116f65e5883aeba1fde6a1fa94ca82883829f8f57d9082ea16911149db
Malware Config
Extracted
lokibot
http://85.202.169.172/health3/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://��������������З������Й���Й��я��
Targets
-
-
Target
SHIPPING_DOCUMENT.xlsx
-
Size
176KB
-
MD5
845a22ffc5d1c728a1b6b549c4562b91
-
SHA1
55d010a73c2e0ef0e1370c8d7cea8ed3e633673d
-
SHA256
3ff62073575daa14830510eab2aa7456e7f13ae4152e9d2c09ff41b5fbfee533
-
SHA512
21dd91910d1e8a3d29e437185f90332a0fe77e5e5513b69a68fa60d34117f2287f49d4116f65e5883aeba1fde6a1fa94ca82883829f8f57d9082ea16911149db
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-