General
-
Target
shipping documents.xls
-
Size
666KB
-
Sample
230208-w9hllaec99
-
MD5
6ee345e07d729dc67be58d9f4d714cd7
-
SHA1
e3048b4cb23be971dc02532a26a66f891ec50744
-
SHA256
53560a2f4539618ffbc4951d192f9db8c9d196792cfd790489ebd1c107abba2f
-
SHA512
dcbf0fcd827083f0183f06f7350cf059b255d472a0fbd91896369c08d04544cc7cb95b82fcc78bd2deaa4e73304082d243c43291edd99864e50889f59fd32488
-
SSDEEP
12288:JzBYuizBZf8cAf7/A/4dU+6ZI7vsfXXXXXXXXXXXXUXXXXXXXXXXXXXXXX6:pBriB+ckA/2U+T7+XXXXXXXXXXXXUXX6
Malware Config
Extracted
lokibot
http://171.22.30.164/kung/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
shipping documents.xls
-
Size
666KB
-
MD5
6ee345e07d729dc67be58d9f4d714cd7
-
SHA1
e3048b4cb23be971dc02532a26a66f891ec50744
-
SHA256
53560a2f4539618ffbc4951d192f9db8c9d196792cfd790489ebd1c107abba2f
-
SHA512
dcbf0fcd827083f0183f06f7350cf059b255d472a0fbd91896369c08d04544cc7cb95b82fcc78bd2deaa4e73304082d243c43291edd99864e50889f59fd32488
-
SSDEEP
12288:JzBYuizBZf8cAf7/A/4dU+6ZI7vsfXXXXXXXXXXXXUXXXXXXXXXXXXXXXX6:pBriB+ckA/2U+T7+XXXXXXXXXXXXUXX6
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-