General
-
Target
New PO.doc__.rtf
-
Size
24KB
-
Sample
230116-tzs88sdg4y
-
MD5
f53e284bae498d64482cd230ca73b0b6
-
SHA1
14a7620d0b23c9e56d87b1f1a1e294d1e59d7d10
-
SHA256
9d483b95136f3daa77fb94176c2141d3460986f275b63404c89c703b4b11e658
-
SHA512
5bf9d995847111eecdbbb46ea59306239cddd2118ad95236ce6538bf23b2a5d0dbb5f0c106acbed5df269375d8510dd8a8d1b08f1b984d58ec34664a8641fe39
-
SSDEEP
384:BTQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ4Z/Exg3Likbl8lk5xoQayFcV:BJFx0XaIsnPRIa4fwJMCplR8m5x5aogb
Malware Config
Extracted
lokibot
http://171.22.30.147/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
New PO.doc__.rtf
-
Size
24KB
-
MD5
f53e284bae498d64482cd230ca73b0b6
-
SHA1
14a7620d0b23c9e56d87b1f1a1e294d1e59d7d10
-
SHA256
9d483b95136f3daa77fb94176c2141d3460986f275b63404c89c703b4b11e658
-
SHA512
5bf9d995847111eecdbbb46ea59306239cddd2118ad95236ce6538bf23b2a5d0dbb5f0c106acbed5df269375d8510dd8a8d1b08f1b984d58ec34664a8641fe39
-
SSDEEP
384:BTQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ4Z/Exg3Likbl8lk5xoQayFcV:BJFx0XaIsnPRIa4fwJMCplR8m5x5aogb
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-