General
-
Target
a411c5f01d2a3c00973839711c3ab747.rtf
-
Size
24KB
-
Sample
230605-e1yssafc9v
-
MD5
a411c5f01d2a3c00973839711c3ab747
-
SHA1
24b5f0c0aa6c680f53b455ac642543ada941f0cf
-
SHA256
06b439539652aeec2b097c39ac61660e746b5961a0f8110035fbc8237d4eff8c
-
SHA512
04c3eeba83474a3cc06ba2a18cab513d33cdf71d76a1fbf343bc83abcbfd97731752986e335810a386f2586d240cb7d8d897169276841f0d40d0ae73ff62dae7
-
SSDEEP
768:N0Xs6DQe43kxzrt6X+Q8rMZtdD5HZTZZg127Pg:yFTzUX2rMx5H9ZZg1yPg
Malware Config
Extracted
lokibot
http://185.246.220.85/line/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
a411c5f01d2a3c00973839711c3ab747.rtf
-
Size
24KB
-
MD5
a411c5f01d2a3c00973839711c3ab747
-
SHA1
24b5f0c0aa6c680f53b455ac642543ada941f0cf
-
SHA256
06b439539652aeec2b097c39ac61660e746b5961a0f8110035fbc8237d4eff8c
-
SHA512
04c3eeba83474a3cc06ba2a18cab513d33cdf71d76a1fbf343bc83abcbfd97731752986e335810a386f2586d240cb7d8d897169276841f0d40d0ae73ff62dae7
-
SSDEEP
768:N0Xs6DQe43kxzrt6X+Q8rMZtdD5HZTZZg127Pg:yFTzUX2rMx5H9ZZg1yPg
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-