General
-
Target
interflux 230101.docx
-
Size
10KB
-
Sample
230207-1cj6dafg49
-
MD5
d07eb11e2f72bde21377460c4eaebfa4
-
SHA1
729b4f7d337e88ea40c0d417bd2808f275de733e
-
SHA256
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae
-
SHA512
7a0f0fdecbdc2a8c9b78791b776c95d9a58fb857be65bc0d57b28508eab0080a44f0a16e0d1114e7b2146705186376dbffef22bc0a4ef918ae51c2087db2b66a
-
SSDEEP
192:ScIMmtP5hG/b7XN+eO/xXkO+5+5F7Jar/YEChI3UqR:SPXRE7XtOJXk7wtar/YECOUe
Malware Config
Extracted
http://dgdfg00000000hfjf0000000ghfghfgh000000gfhfg0000hfgsdgfggd0000fgdfge00000rtdfgd00000fg00dfg@3221479282/78.doc
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
interflux 230101.docx
-
Size
10KB
-
MD5
d07eb11e2f72bde21377460c4eaebfa4
-
SHA1
729b4f7d337e88ea40c0d417bd2808f275de733e
-
SHA256
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae
-
SHA512
7a0f0fdecbdc2a8c9b78791b776c95d9a58fb857be65bc0d57b28508eab0080a44f0a16e0d1114e7b2146705186376dbffef22bc0a4ef918ae51c2087db2b66a
-
SSDEEP
192:ScIMmtP5hG/b7XN+eO/xXkO+5+5F7Jar/YEChI3UqR:SPXRE7XtOJXk7wtar/YECOUe
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-