General

  • Target

    Payment Advice.xlsx

  • Size

    177KB

  • Sample

    220706-dhcbdshhg3

  • MD5

    a7f141d20c017dcfc0c0f953ab70849e

  • SHA1

    730dc699b2fc062385cb8642c9d32fa792aab3f3

  • SHA256

    a218f6790ee850c45bc013ffa81350ff30770d0d06d1d16e0bde8a093fd63969

  • SHA512

    5ad0d20ec9ffc2cf6e48067920d6f97cae4787ba8baf3f6a71218fe2be060d167bb20ce9ca822038409114eb688c70de864de7a7e9f687c4d80d477b7e31d2f4

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.ga/BN1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Payment Advice.xlsx

    • Size

      177KB

    • MD5

      a7f141d20c017dcfc0c0f953ab70849e

    • SHA1

      730dc699b2fc062385cb8642c9d32fa792aab3f3

    • SHA256

      a218f6790ee850c45bc013ffa81350ff30770d0d06d1d16e0bde8a093fd63969

    • SHA512

      5ad0d20ec9ffc2cf6e48067920d6f97cae4787ba8baf3f6a71218fe2be060d167bb20ce9ca822038409114eb688c70de864de7a7e9f687c4d80d477b7e31d2f4

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      decrypted

    • Size

      170KB

    • MD5

      68f25039e42b31408e1e22ea9fac7cf7

    • SHA1

      a507fcc5d4d7a1bbea2fd893576043bf9279d11d

    • SHA256

      71e1418e7cf4790fff7f22539f12ccf1a0d9fb9a419e138034ea7a954f4a9a51

    • SHA512

      e9135a676e2c7d5e43896fc8f6b41b5d15ce0940ed60e8de157b4bdd7d8eb09424f43a3cebab8cc21919002558f5ce012589dc61ce3c0e575584bd446a956f2e

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Tasks