General
-
Target
PL 991382-991383-991384.xlsx
-
Size
176KB
-
Sample
220705-pf2ztahael
-
MD5
3817faf60cd206f173d6aecf7ed163e3
-
SHA1
0a21fb7be56324fe17b5d4c80e46195953044725
-
SHA256
8bd13216d09241dea750d29c96273e1ec4ee7bdca995bdb5501517b015957498
-
SHA512
021f26da724bfcf2a7d98eeaf74aac9360ed032d3fefe862abee7237bc8656af356e6f7acbeac89be2dc12d59c982c89283f1609d2b1d673ae87a6e2db75cf9a
Malware Config
Extracted
lokibot
http://62.197.136.176/health4/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://��������������З������Й���Й��я��
Targets
-
-
Target
PL 991382-991383-991384.xlsx
-
Size
176KB
-
MD5
3817faf60cd206f173d6aecf7ed163e3
-
SHA1
0a21fb7be56324fe17b5d4c80e46195953044725
-
SHA256
8bd13216d09241dea750d29c96273e1ec4ee7bdca995bdb5501517b015957498
-
SHA512
021f26da724bfcf2a7d98eeaf74aac9360ed032d3fefe862abee7237bc8656af356e6f7acbeac89be2dc12d59c982c89283f1609d2b1d673ae87a6e2db75cf9a
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-