Overview

overview

10

Static

static

200ACC7F2C...AD.rtf

windows7-x64

10

200ACC7F2C...AD.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    200ACC7F2C682A11762CD66158F15AAFA2143F3AEECF62D1152CC4FDE6224BAD

  • Size

    26KB

  • Sample

    221123-r1p7vsaa46

  • MD5

    962cffd99bdc793a4be372de2846e36d

  • SHA1

    655878671708ee824f00daa033f9b274e9c66cb5

  • SHA256

    200acc7f2c682a11762cd66158f15aafa2143f3aeecf62d1152cc4fde6224bad

  • SHA512

    b699e0d4a35eaac43538803a1f871f82303e422c0e4da9198aaf151fd88d80043d9a64703be1a3fbc96d5090d38e660659f8f1d51eddf748793bd6227400dc16

  • SSDEEP

    768:CFx0XaIsnPRIa4fwJM+vJczdKJxMtZzHbfYn1zR5pVbjA:Cf0Xvx3EM+v2KezHb6j5pW

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.148/victor/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      200ACC7F2C682A11762CD66158F15AAFA2143F3AEECF62D1152CC4FDE6224BAD

    • Size

      26KB

    • MD5

      962cffd99bdc793a4be372de2846e36d

    • SHA1

      655878671708ee824f00daa033f9b274e9c66cb5

    • SHA256

      200acc7f2c682a11762cd66158f15aafa2143f3aeecf62d1152cc4fde6224bad

    • SHA512

      b699e0d4a35eaac43538803a1f871f82303e422c0e4da9198aaf151fd88d80043d9a64703be1a3fbc96d5090d38e660659f8f1d51eddf748793bd6227400dc16

    • SSDEEP

      768:CFx0XaIsnPRIa4fwJM+vJczdKJxMtZzHbfYn1zR5pVbjA:Cf0Xvx3EM+v2KezHb6j5pW

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks