General
-
Target
DRAFT DOCS INVCK2023M1903 BL PL.xls
-
Size
1.3MB
-
Sample
230130-nxx7hsab96
-
MD5
b54c1c8fe2234c6c4703025bf8c5d3e8
-
SHA1
e553f7475fb8f8dc3d8305271898f378c2b4cec6
-
SHA256
b63a846d80c3f42ba49b24071706e928e782481a8e46190248cd609da8bec7eb
-
SHA512
4db3243a46ad4c8546a908f228364a27730f43fa6c18558fd4547496d7173488e27805f3bc2eb60da811070aec5a6260eeee6fd3d0e05b2cedfeecb695db3752
-
SSDEEP
24576:7LKMZyOZy8LKNZyyZy6Q8ToW0cwmnAoNa:7LK+5zLK3VHjTVwmPN
Malware Config
Extracted
lokibot
http://171.22.30.147/gk1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
DRAFT DOCS INVCK2023M1903 BL PL.xls
-
Size
1.3MB
-
MD5
b54c1c8fe2234c6c4703025bf8c5d3e8
-
SHA1
e553f7475fb8f8dc3d8305271898f378c2b4cec6
-
SHA256
b63a846d80c3f42ba49b24071706e928e782481a8e46190248cd609da8bec7eb
-
SHA512
4db3243a46ad4c8546a908f228364a27730f43fa6c18558fd4547496d7173488e27805f3bc2eb60da811070aec5a6260eeee6fd3d0e05b2cedfeecb695db3752
-
SSDEEP
24576:7LKMZyOZy8LKNZyyZy6Q8ToW0cwmnAoNa:7LK+5zLK3VHjTVwmPN
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-