Overview

overview

10

Static

static

1

9f95cdb078...e5.vbs

windows7-x64

1

9f95cdb078...e5.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    982811bd1fb10c1efb72f21a21f9a1e9.bin

  • Size

    39KB

  • Sample

    230605-n8mvxsge27

  • MD5

    d1709bde8244f0c67d36cae714233764

  • SHA1

    d308255bd95e37e87cae112a62cef1fc70df9589

  • SHA256

    e76516e2d4e6640c63238e3bf20af15d964f5f560807b84519ad30abeab229d2

  • SHA512

    03cb0f81d18a6a0db355dddbda8bf2e54806841dec818bee9f6c575cdbc83d58dd82f4ca762712436a80054cb7b64459a24a79253f4d1c5db7802458e44fcfd8

  • SSDEEP

    768:XNZiOT+8rI4x4vagCe5VOGhMhLAh/e+SnbEPdpRIqEnN1Z:zn+8cRag4EaoxIqW

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/fsociety-ec922.appspot.com/o/rump.txt?alt=media&token=0643a2d7-350d-484f-8dbe-97a53621d0c2

Extracted

Family

lokibot

C2

http://161.35.102.56/~nikol/?p=2132

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5.vbs

    • Size

      411KB

    • MD5

      982811bd1fb10c1efb72f21a21f9a1e9

    • SHA1

      7b3d89bd7f559af1a1269fb64298dccf149547c7

    • SHA256

      9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5

    • SHA512

      08ee91b90079bbdd9ee9525dd61c0f5a778390a1dac7b5ca2ea9fed6ef8328974c184534f1c93ed6eae0dfddf7e736391f25d63694c5fc830e434fec53179f11

    • SSDEEP

      3072:8HGRwfHYFvhNe4VTdRnTT8w4TWb4qsIgZdpe+og0S7wQzS18f8d6bb/g52r:XwfHYFJ4qc

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks