General
-
Target
Draft Of Shipping documents.xls
-
Size
812KB
-
Sample
221129-lx8xxabg6t
-
MD5
6f99f2125d4b5b67e16caa9178214b64
-
SHA1
ab346d39e6fc59d79e0155a093be39ec026bda02
-
SHA256
6d9d20eaf48b6a8346d2a9bc729aaadceba262e81b51c47bba8da0f8f7fe5a70
-
SHA512
c03c1ede0189e872c7f615f96d0cf3f197899bae8d0efeb9a017d32d22a1bb703294f6a9acb880fe82cc242fbe2fee7324325e96657a0c70c0d9561cfb91158f
-
SSDEEP
24576:t/ar5XXXXXXXXXXXXUXXXXXXXSXXXXXXXX1mUr5XXXXXXXXXXXXUXXXXXXXSXXX+:nFLB0x
Malware Config
Extracted
lokibot
http://sempersim.su/gm14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Draft Of Shipping documents.xls
-
Size
812KB
-
MD5
6f99f2125d4b5b67e16caa9178214b64
-
SHA1
ab346d39e6fc59d79e0155a093be39ec026bda02
-
SHA256
6d9d20eaf48b6a8346d2a9bc729aaadceba262e81b51c47bba8da0f8f7fe5a70
-
SHA512
c03c1ede0189e872c7f615f96d0cf3f197899bae8d0efeb9a017d32d22a1bb703294f6a9acb880fe82cc242fbe2fee7324325e96657a0c70c0d9561cfb91158f
-
SSDEEP
24576:t/ar5XXXXXXXXXXXXUXXXXXXXSXXXXXXXX1mUr5XXXXXXXXXXXXUXXXXXXXSXXX+:nFLB0x
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-