Overview

overview

10

Static

static

RFP 20220707DX1.xlsx

windows7_x64

10

RFP 20220707DX1.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3831fe319b72dd5bed7c521bfca7e25d

  • Size

    243KB

  • Sample

    220707-f8ynesdgen

  • MD5

    3831fe319b72dd5bed7c521bfca7e25d

  • SHA1

    03083d1e76ab9d908187abd6b68fecb40afd0040

  • SHA256

    46d65aa260e3fb75b353233417fe796aa0d6e3e1821a43db6799b458f5ebb610

  • SHA512

    6542f1b3c95ab8224343017b2bb559e857d3092a966173f47a7930cf10b4f5726071ae63cea2fd1773223388f719ae4d0943a791e47f353e9ec172e5cb06e303

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.133.1.20/rostov2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://�����������Ѝ������Й���Й��я��

Targets

    • Target

      RFP 20220707DX1.xlsx

    • Size

      176KB

    • MD5

      56216ff6352da0391772dbfcc6048c60

    • SHA1

      1f25f87f68748566062820ec293f7c1678d301ce

    • SHA256

      82e7f3f4e817a291abb29ae2698c1242d3d53f39a37f1530d4210573f26fade9

    • SHA512

      e9fd9b0b7f82889d7e81cb29d9dfbf5832f32e909f79209dd594631292622972728dcf898d875d42f47554071b0b12fba6486eeabc668f716ea84f92790c3de2

    Score
    10/10
    lokibotcollectionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata

    • suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL

      suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL

      suricata

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks