General
-
Target
P.O #306078910.xls
-
Size
548KB
-
Sample
230208-w9hllaec98
-
MD5
4d0c7f86b0e57066396f5a7b96eb1a49
-
SHA1
c8e04472398c857cc8eb9b20295a41eb151ea8c4
-
SHA256
a3d6bb9bcec84d97233aefc0f3fa839119d1a9af04581c7874e07b1292dcd7a4
-
SHA512
00149978b7189a4416c28d21686316d00324b3704a1b100b1f5257141c8353a13615f280b8d70bbdc7faa6429f3447768e121cde9a611322df2a6f808bc6dd70
-
SSDEEP
6144:yaFJkKXiDU7wo6cyBpezcOPqGjZ+RwPONXoRjDhIcp0fDlavx+W26nAKC0LHAV0J:yaFiKXKPcyBpezBZDDDAGQm78JU68
Malware Config
Extracted
lokibot
http://208.67.105.148/china/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
P.O #306078910.xls
-
Size
548KB
-
MD5
4d0c7f86b0e57066396f5a7b96eb1a49
-
SHA1
c8e04472398c857cc8eb9b20295a41eb151ea8c4
-
SHA256
a3d6bb9bcec84d97233aefc0f3fa839119d1a9af04581c7874e07b1292dcd7a4
-
SHA512
00149978b7189a4416c28d21686316d00324b3704a1b100b1f5257141c8353a13615f280b8d70bbdc7faa6429f3447768e121cde9a611322df2a6f808bc6dd70
-
SSDEEP
6144:yaFJkKXiDU7wo6cyBpezcOPqGjZ+RwPONXoRjDhIcp0fDlavx+W26nAKC0LHAV0J:yaFiKXKPcyBpezBZDDDAGQm78JU68
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-