General

  • Target

    QUOTATION_23456.xls

  • Size

    1.3MB

  • Sample

    230328-g141xabb21

  • MD5

    052e3ec118dfda0df463bd85853a8210

  • SHA1

    c4b98bb4138b57b0c6e004bf2ce32a432b5a5bf3

  • SHA256

    11c087d89a15a3d35b352967d16c19f816de81f9f7a8b62426526564b3cbcd22

  • SHA512

    7fe2af2f0ff6551e035a10086185da08d90e99d91fff18b20b047202755e6f528b7b30a363474139faf8b89913eec88bf99276f153af22f89a098c5da1d9ed7c

  • SSDEEP

    24576:rLKcSSMMednE3akAmmjmCakAmmjmt+MXURakAmmjmL+MXUGvmS2222222222222B:rLKQM8aaoxaaoa+MXyaaoQ+MXsP/S

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/kung/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      QUOTATION_23456.xls

    • Size

      1.3MB

    • MD5

      052e3ec118dfda0df463bd85853a8210

    • SHA1

      c4b98bb4138b57b0c6e004bf2ce32a432b5a5bf3

    • SHA256

      11c087d89a15a3d35b352967d16c19f816de81f9f7a8b62426526564b3cbcd22

    • SHA512

      7fe2af2f0ff6551e035a10086185da08d90e99d91fff18b20b047202755e6f528b7b30a363474139faf8b89913eec88bf99276f153af22f89a098c5da1d9ed7c

    • SSDEEP

      24576:rLKcSSMMednE3akAmmjmCakAmmjmt+MXURakAmmjmL+MXUGvmS2222222222222B:rLKQM8aaoxaaoa+MXyaaoQ+MXsP/S

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks