General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.21647.29852.rtf
-
Size
13KB
-
Sample
221004-t64csabee8
-
MD5
5f4e78396958c7e9add7060c17cd448d
-
SHA1
fbfdb89444e4bcec86d7599bf7c85c7f07f0bfc9
-
SHA256
2a871ffb84aa66cd0d0a2d030e979f35d0bc1f96fcb60248839dd9a488edd109
-
SHA512
95d275746255be6fb84065c0ed1c752850c3f41f95b21c69c74d707a752f7aa31eaf31004c3b3aa904c91be104a5208bd8f53423091c881070beaa09aa739197
-
SSDEEP
384:PylcKUzrrsbOTI+2tNttybiYZeDzD97aC6bShBuiFM:PyidzEk2ibPaD97R6yK
Malware Config
Extracted
lokibot
http://208.67.105.161/donstan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.21647.29852.rtf
-
Size
13KB
-
MD5
5f4e78396958c7e9add7060c17cd448d
-
SHA1
fbfdb89444e4bcec86d7599bf7c85c7f07f0bfc9
-
SHA256
2a871ffb84aa66cd0d0a2d030e979f35d0bc1f96fcb60248839dd9a488edd109
-
SHA512
95d275746255be6fb84065c0ed1c752850c3f41f95b21c69c74d707a752f7aa31eaf31004c3b3aa904c91be104a5208bd8f53423091c881070beaa09aa739197
-
SSDEEP
384:PylcKUzrrsbOTI+2tNttybiYZeDzD97aC6bShBuiFM:PyidzEk2ibPaD97R6yK
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-