General
-
Target
Shipping Documents.zip
-
Size
78KB
-
Sample
221102-lphezsbefj
-
MD5
f8a02217108d476b37f44eb6d6a023c0
-
SHA1
fd6b13fdfd2537ec1cd99152d3468a8da55eda39
-
SHA256
de13ea009116208fdf3edc65318e3e2743fd17b76154b29636c90e14e45127e3
-
SHA512
7599a9c496b000040dbe0968bbda89283b82f46348beaf54edf2f1b278d602cae3464546a62e59b81c01b6d3d15031b8e3682490ca7534ac00f6392329ac1099
-
SSDEEP
1536:ezo5xEqSMzjebiOBP1LAs3j75fSl910HjLYm/zCw6xqpQ:v5xE92jBOBt0sxw9qHj8m/zVpQ
Malware Config
Extracted
lokibot
http://208.67.105.161/starmoney/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Shipping Documents.exe
-
Size
90KB
-
MD5
0ccf418bcf41e790cb09787062bed80b
-
SHA1
54f33e1f18a5f33c755779e0335e8c1695deb20d
-
SHA256
8b8936901557f02c5a2a6821394d35f0a21fbf13fd78519e0c778ad047f1eaab
-
SHA512
4796ecfaa6edf7be4b9105afccc645c61d415dbfd8aed8e4aa1db1bf47e00ed1e2fc528123a600d881d06d078beb96c787360da7e9b1b6c3bbda81a8c0ce7cc2
-
SSDEEP
1536:6jpUUbAtT7oF3vWQ+Gwl+cSM6UGtB/EK8W6yp910HjLYm/zCwlt+xH7zP9:qUJoFfWzzl+cSM6UGz8Kp649qHj8m/zi
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-