Overview

overview

10

Static

static

10

SOA #00776122.docx

windows7-x64

10

SOA #00776122.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SOA #00776122.docx.doc

  • Size

    11KB

  • Sample

    230220-mgjhraaa61

  • MD5

    92c58afe23acd76e5f0ab0c8f0f0394e

  • SHA1

    319c1720352e2924c6630428b691ef8706731530

  • SHA256

    82f786b26b47b6e60bed7d7aacf0dc221c6ad426554fec30fab21d59549e949c

  • SHA512

    0b329608717007c410df29cf83d8b56f382e419499e8304ae5a91f5fc465a8399d932562f5e2d98fb863e78a3b20b4dda74e51665944823add61c5f2bcb8fb27

  • SSDEEP

    192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBC0nVj:aNxUyn0i13LROEiOLkX6Ujnw+35Vj

Score
10/10
lokibotcollectionspywarestealertrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://WEEEERRRRRRRRRRRPPPOOOOSSSSSSSOOOOOPPWEEEEEEEOOOOOOOCCVVVVVVVVOVVVVVVVVVVVVVVVVOOOOOO@3235029245/O__O.DOC

Extracted

Family

lokibot

C2

http://208.67.105.148/sung/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SOA #00776122.docx.doc

    • Size

      11KB

    • MD5

      92c58afe23acd76e5f0ab0c8f0f0394e

    • SHA1

      319c1720352e2924c6630428b691ef8706731530

    • SHA256

      82f786b26b47b6e60bed7d7aacf0dc221c6ad426554fec30fab21d59549e949c

    • SHA512

      0b329608717007c410df29cf83d8b56f382e419499e8304ae5a91f5fc465a8399d932562f5e2d98fb863e78a3b20b4dda74e51665944823add61c5f2bcb8fb27

    • SSDEEP

      192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBC0nVj:aNxUyn0i13LROEiOLkX6Ujnw+35Vj

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks