General
-
Target
Shipping Documents.xls
-
Size
745KB
-
Sample
221123-qxzrfsfb34
-
MD5
36dbbe387ce3851bc3aa42ed8dc48a8d
-
SHA1
dce1e73be53660393244455de8b630b214df847a
-
SHA256
188c29dc39bcf0f5dea8950ae2aebfbaa9efcbbc8ac2e7a5fcffabc9d4fcd99c
-
SHA512
94bf48cf5edc675e83700d96ad7207335505eb7104edf43691cd3e891338df72d0a0da0e210f3777d2c4bf6202fa8e3e4d1c827559dca5e1d8749970f4c6e302
-
SSDEEP
12288:fdNqrDx7XXXXXXXXXXXXUXXXXXXXSXXXXXXXXWTmaqydNqrDx7XXXXXXXXXXXXUN:Cr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXy
Malware Config
Extracted
lokibot
http://sempersim.su/gm14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Shipping Documents.xls
-
Size
745KB
-
MD5
36dbbe387ce3851bc3aa42ed8dc48a8d
-
SHA1
dce1e73be53660393244455de8b630b214df847a
-
SHA256
188c29dc39bcf0f5dea8950ae2aebfbaa9efcbbc8ac2e7a5fcffabc9d4fcd99c
-
SHA512
94bf48cf5edc675e83700d96ad7207335505eb7104edf43691cd3e891338df72d0a0da0e210f3777d2c4bf6202fa8e3e4d1c827559dca5e1d8749970f4c6e302
-
SSDEEP
12288:fdNqrDx7XXXXXXXXXXXXUXXXXXXXSXXXXXXXXWTmaqydNqrDx7XXXXXXXXXXXXUN:Cr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXy
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-