General
-
Target
load.xlsx
-
Size
176KB
-
Sample
220707-gfqmsagca5
-
MD5
196db6cda946aae599ffd6cb4dd7a3d2
-
SHA1
85cab8d693b2466960fb64a4fb38f3501df52f99
-
SHA256
e837a94d9e7b13a40c28ce2e58555b69c681d29436a2703ee449d638544a10fd
-
SHA512
b5b28e6b643bbfc3696591ab4f433db9dfb25704e2a58857eeebf8ad0a2ca07b12306b81a7f8558926adc9f140b0786825a7a213ac0f834e71bf970d8af8e4ca
Malware Config
Extracted
lokibot
http://45.133.1.20/health12/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://�����������З�������Й���Й��я��
Targets
-
-
Target
load.xlsx
-
Size
176KB
-
MD5
196db6cda946aae599ffd6cb4dd7a3d2
-
SHA1
85cab8d693b2466960fb64a4fb38f3501df52f99
-
SHA256
e837a94d9e7b13a40c28ce2e58555b69c681d29436a2703ee449d638544a10fd
-
SHA512
b5b28e6b643bbfc3696591ab4f433db9dfb25704e2a58857eeebf8ad0a2ca07b12306b81a7f8558926adc9f140b0786825a7a213ac0f834e71bf970d8af8e4ca
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
170KB
-
MD5
7de3eb29e662f51aea4ebfa4e306936d
-
SHA1
5fc361e431f6b7906d378a5b65e4c483f95c35eb
-
SHA256
2212e6cc060d8c97381c911ee2fd077c01e9290146f0f50dcdf5f9b04254670f
-
SHA512
af42356857609686d629f8927e3f331d5761ecbf56ddb942643c91acae33a1ec83ce85f26bfc169eb83b0efc31f07bcc9e140482c5f719fe15de891b31818002
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-