General
-
Target
IN-001.doc
-
Size
58KB
-
Sample
230207-kd568sae33
-
MD5
99ab551c6192ceb58cea0bac7f4ac455
-
SHA1
856f1b0f87aec5414c0636f07a9d67870b9e4652
-
SHA256
09e8530ee34bbf8a56ac3d8e688a5c8d79d28ada9eb9a5253dd57416322011ce
-
SHA512
ed40173cea14d5914b10677771073559ee9fc5fa180fb74a74e374dfbde408164b055c3b9807cfb9af049972d9d9cff28f3ec862cd72fe588c6478cb1ad74f31
-
SSDEEP
1536:8t3kvJ+fjdgWIHvzT8vm289cG5XcIppYwEB6O14DqNcnfJ+QaBK3z:w3kvJ+Z4rT8vm2lGSgpYwEgO1sqNcnfB
Malware Config
Extracted
lokibot
http://185.246.220.85/davidhill/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
IN-001.doc
-
Size
58KB
-
MD5
99ab551c6192ceb58cea0bac7f4ac455
-
SHA1
856f1b0f87aec5414c0636f07a9d67870b9e4652
-
SHA256
09e8530ee34bbf8a56ac3d8e688a5c8d79d28ada9eb9a5253dd57416322011ce
-
SHA512
ed40173cea14d5914b10677771073559ee9fc5fa180fb74a74e374dfbde408164b055c3b9807cfb9af049972d9d9cff28f3ec862cd72fe588c6478cb1ad74f31
-
SSDEEP
1536:8t3kvJ+fjdgWIHvzT8vm289cG5XcIppYwEB6O14DqNcnfJ+QaBK3z:w3kvJ+Z4rT8vm2lGSgpYwEgO1sqNcnfB
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-