General
-
Target
e3ba2aad-07d0-422b-a318-cdfe2784e3bc.docx
-
Size
10KB
-
Sample
230305-g3wsbafc6z
-
MD5
d49730cd5ca9b74c501f728e7252ad00
-
SHA1
7805590ffd6fe168accb4d67f12ffc9256f18455
-
SHA256
b32a53d373444d380506d91ba97b42a82d3f5dc787352589eaab58ecac8175f5
-
SHA512
1075ae933b928a1b6b94a7e60024d46565374fd846f8022cef1b2b1a452ad7cccbea4ef28311d49b8a239012cacc758515dea825ee5cba0b27f100271610975d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOUAIl+CVWBXJC0c37G:SPXU/slT+LO2HkZC9q
Malware Config
Extracted
http://OOOW3OOOOOOO233OOOOOO23OO33B2OB32O32O32B3O23BO33O3S0DFSDF0X000F0SD0000WLLL21LLLLL222LLLLL3333LELLL@1806685202/ru.........................................doc
Extracted
lokibot
http://185.246.220.60/shen/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
e3ba2aad-07d0-422b-a318-cdfe2784e3bc.docx
-
Size
10KB
-
MD5
d49730cd5ca9b74c501f728e7252ad00
-
SHA1
7805590ffd6fe168accb4d67f12ffc9256f18455
-
SHA256
b32a53d373444d380506d91ba97b42a82d3f5dc787352589eaab58ecac8175f5
-
SHA512
1075ae933b928a1b6b94a7e60024d46565374fd846f8022cef1b2b1a452ad7cccbea4ef28311d49b8a239012cacc758515dea825ee5cba0b27f100271610975d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOUAIl+CVWBXJC0c37G:SPXU/slT+LO2HkZC9q
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-