General
-
Target
Payment Advice.xlsx.zip
-
Size
170KB
-
Sample
220706-h8wj6sabcj
-
MD5
6803698313d235c32cbd073b083cdb77
-
SHA1
1e66b262494f484a1c2058495a7fa39ab9077f6d
-
SHA256
3586bd8cc92a3702ded3cc6de744756a3aa45a543d16b2fc10cabcba77fb0403
-
SHA512
323962daa1d03a301813b85ce6b23ca588c05a2ae2b34214d63f628d5d77201e644e73dfc03083e7e1b1743b148b8f7f7073b1d691567e853561eb93051e9505
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.ga/BN1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Payment Advice.xlsx
-
Size
177KB
-
MD5
a7f141d20c017dcfc0c0f953ab70849e
-
SHA1
730dc699b2fc062385cb8642c9d32fa792aab3f3
-
SHA256
a218f6790ee850c45bc013ffa81350ff30770d0d06d1d16e0bde8a093fd63969
-
SHA512
5ad0d20ec9ffc2cf6e48067920d6f97cae4787ba8baf3f6a71218fe2be060d167bb20ce9ca822038409114eb688c70de864de7a7e9f687c4d80d477b7e31d2f4
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
170KB
-
MD5
68f25039e42b31408e1e22ea9fac7cf7
-
SHA1
a507fcc5d4d7a1bbea2fd893576043bf9279d11d
-
SHA256
71e1418e7cf4790fff7f22539f12ccf1a0d9fb9a419e138034ea7a954f4a9a51
-
SHA512
e9135a676e2c7d5e43896fc8f6b41b5d15ce0940ed60e8de157b4bdd7d8eb09424f43a3cebab8cc21919002558f5ce012589dc61ce3c0e575584bd446a956f2e
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-