General

  • Target

    PO 9200042879.docx

  • Size

    10KB

  • Sample

    230418-h53t3sab73

  • MD5

    534dea827f40e5e0727fcee72c884c61

  • SHA1

    392e3265c99c7de2e357bea44fd144f9af7b7a36

  • SHA256

    e687f3f49a98f138c03b8b65b70546054c4d4d4de99b7d59f344d2f24b4f1a4f

  • SHA512

    c82ffb3947b52b541a0700593cd7c70acd296af836f8f9e7614793caab6831410f135ee82a33352907a98ca8073aed8503e207fa8d3098e5d766e4a7b622ef58

  • SSDEEP

    192:ScIMmtPGT7G/bIwXOVOk+75SEzBC4vNq6sM63lKJe:SPXuT+xXOVOk2hlqHlK8

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23ZZZZ99999999ZZ‪‬ZZZ‪‬Z999999‪‬99ZZZZZZZ55555Z5Z5Z55Z5Z5Z5ZZZZZZZ0LLLLLLLOOOOO0000000000LLLLL00000000000OOOLLLLLLL@760759131/w/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc

Extracted

Family

lokibot

C2

http://171.22.30.164/okuman/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PO 9200042879.docx

    • Size

      10KB

    • MD5

      534dea827f40e5e0727fcee72c884c61

    • SHA1

      392e3265c99c7de2e357bea44fd144f9af7b7a36

    • SHA256

      e687f3f49a98f138c03b8b65b70546054c4d4d4de99b7d59f344d2f24b4f1a4f

    • SHA512

      c82ffb3947b52b541a0700593cd7c70acd296af836f8f9e7614793caab6831410f135ee82a33352907a98ca8073aed8503e207fa8d3098e5d766e4a7b622ef58

    • SSDEEP

      192:ScIMmtPGT7G/bIwXOVOk+75SEzBC4vNq6sM63lKJe:SPXuT+xXOVOk2hlqHlK8

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks