General
-
Target
Sales Contract.doc
-
Size
37KB
-
Sample
230208-w9hllaec97
-
MD5
285a89c80adb7aaa99bcc5520db5d157
-
SHA1
24dc77157ef3917920b4b97fdd9ed1ab25ee110c
-
SHA256
36047edee76991abf7488230ee76595be53542c3c2f994f1256f00ea5e56ece6
-
SHA512
3c345a14f4fb4de86d4afb4af97e15a07bcddc9e448623d432ccecb4f492302f342c607f72a421a4658dd24b92103382b45c6878193c3223f206c06d7efa8cf4
-
SSDEEP
768:XFx0XaIsnPRIa4fwJMyy2nMOzmoT0N028m5CJaO26maSVX:Xf0Xvx3EMZ6MOz5c35FO5/SVX
Malware Config
Extracted
lokibot
http://171.22.30.147/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Sales Contract.doc
-
Size
37KB
-
MD5
285a89c80adb7aaa99bcc5520db5d157
-
SHA1
24dc77157ef3917920b4b97fdd9ed1ab25ee110c
-
SHA256
36047edee76991abf7488230ee76595be53542c3c2f994f1256f00ea5e56ece6
-
SHA512
3c345a14f4fb4de86d4afb4af97e15a07bcddc9e448623d432ccecb4f492302f342c607f72a421a4658dd24b92103382b45c6878193c3223f206c06d7efa8cf4
-
SSDEEP
768:XFx0XaIsnPRIa4fwJMyy2nMOzmoT0N028m5CJaO26maSVX:Xf0Xvx3EMZ6MOz5c35FO5/SVX
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-