Overview

overview

10

Static

static

Electronic TT.xlsx

windows7_x64

10

Electronic TT.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Electronic TT.xlsx

  • Size

    176KB

  • Sample

    220705-pgldfshafj

  • MD5

    d9fb493b2f5ed5e8b3b34cf0367e703a

  • SHA1

    06f4c0be77180c6a9186e2e4a8cc7870994c02f1

  • SHA256

    696bf4ad81dc97296af71046de685e83a4d892df9a2726bae485df5667afe2d4

  • SHA512

    23b45cfc80f57e4ee2788a8b49282e683eb77235ae79745d3df857edaf8ba71c3959367501f0cd276a4ad5f6cfbec048d73fd73243f7769cb9cc4d9a6d9fba82

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Electronic TT.xlsx

    • Size

      176KB

    • MD5

      d9fb493b2f5ed5e8b3b34cf0367e703a

    • SHA1

      06f4c0be77180c6a9186e2e4a8cc7870994c02f1

    • SHA256

      696bf4ad81dc97296af71046de685e83a4d892df9a2726bae485df5667afe2d4

    • SHA512

      23b45cfc80f57e4ee2788a8b49282e683eb77235ae79745d3df857edaf8ba71c3959367501f0cd276a4ad5f6cfbec048d73fd73243f7769cb9cc4d9a6d9fba82

    Score
    10/10
    lokibotcollectionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks