Overview

overview

10

Static

static

ORDINE.vbs

windows7-x64

10

ORDINE.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDINE.7z

  • Size

    1KB

  • Sample

    220725-kszb8sbfek

  • MD5

    efd2320e0e7f981e03994d68d8285853

  • SHA1

    7912a8c9a31ad0506535f44001444f010f256ce6

  • SHA256

    abb023216cf01005730aefe0b0948043285674f51036ab6c568bb76c49ac438c

  • SHA512

    71f53da29618ceec4151326229a70c2537998e7a985d8ab53d07b7f0b73bac109c3225eb04ae2a3685edc130458c48624a38bb392fe260c8e877e4a9a1ac5889

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/14-07-2022.mp4

Extracted

Family

lokibot

C2

http://vlascx.xyz/luck/cx/kai.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ORDINE.vbs

    • Size

      231KB

    • MD5

      e020cd23ba91c3f6ad9c9ed3d6f391b5

    • SHA1

      c924b29e61a4765cee969e841a76e304b646c168

    • SHA256

      d985cfc667c76c46662c1de784d8d8844af661f9fe421ab9f0a4f8d704002738

    • SHA512

      6f01979834b8de6979bb485edaff44079ca58923b2e333e6e089ef76f73b13e6b5c51d2220163c0a216bc1f5576be4c0fc30867743e7f1ef70054868b083ff86

    Score
    10/10
    suricatalokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • suricata: ET MALWARE Powershell commands sent B64 3

      suricata: ET MALWARE Powershell commands sent B64 3

      suricata

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks