General

  • Target

    1b4be675b849a4b047e6f582a162fe97

  • Size

    246KB

  • Sample

    220707-f71rdsfhe4

  • MD5

    1b4be675b849a4b047e6f582a162fe97

  • SHA1

    5289b3e3947012da23cdab07f4e14ee82725b5e2

  • SHA256

    1880b6af42560176e6386ac74fef094bc61fb4baa7c949af61856a3602341c8a

  • SHA512

    85841185a7d7bf08f54c5be8b4246d78d41a2e24e1cdba54db998a69a1db0233b4549e25225082faca34ce59869e2def5b989df24b8f797b5290f38465a425c1

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.ga/BN1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Payment Advice.xlsx

    • Size

      177KB

    • MD5

      a7f141d20c017dcfc0c0f953ab70849e

    • SHA1

      730dc699b2fc062385cb8642c9d32fa792aab3f3

    • SHA256

      a218f6790ee850c45bc013ffa81350ff30770d0d06d1d16e0bde8a093fd63969

    • SHA512

      5ad0d20ec9ffc2cf6e48067920d6f97cae4787ba8baf3f6a71218fe2be060d167bb20ce9ca822038409114eb688c70de864de7a7e9f687c4d80d477b7e31d2f4

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      decrypted

    • Size

      170KB

    • MD5

      68f25039e42b31408e1e22ea9fac7cf7

    • SHA1

      a507fcc5d4d7a1bbea2fd893576043bf9279d11d

    • SHA256

      71e1418e7cf4790fff7f22539f12ccf1a0d9fb9a419e138034ea7a954f4a9a51

    • SHA512

      e9135a676e2c7d5e43896fc8f6b41b5d15ce0940ed60e8de157b4bdd7d8eb09424f43a3cebab8cc21919002558f5ce012589dc61ce3c0e575584bd446a956f2e

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks