Overview

overview

10

Static

static

1

a.zip

windows10-1703-x64

10

Resubmissions

17-09-2023 21:42

230917-1kqywsfc99 10

09-09-2023 02:55

230909-denv1sha92 10

06-09-2023 17:13

230906-vrxr5aaa71 10

13-08-2023 17:31

230813-v3xlhafe8v 10

27-06-2023 12:47

230627-p1fx3sfa4w 10

13-06-2023 16:07

230613-tklwlsgh96 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.zip

  • Size

    832B

  • Sample

    230627-p1fx3sfa4w

  • MD5

    10e578867faad166dc6a8f3868cef2f4

  • SHA1

    f541fab60d482834e90638c5aebdefe3d997174e

  • SHA256

    6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c

  • SHA512

    38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

Score
10/10
lokibotredline1006lyla2606collectiondiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

1006

C2

176.123.9.142:14845

Attributes
  • auth_value

    b5da80860b093905c2bba6f9377af704

Extracted

Family

redline

Botnet

Lyla2606

C2

168.119.239.218:36938

Attributes
  • auth_value

    7527b9f62058b03b6b592f42842aea35

Extracted

Family

lokibot

C2

http://161.35.102.56/~nikol/?p=5734041376

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a.zip

    • Size

      832B

    • MD5

      10e578867faad166dc6a8f3868cef2f4

    • SHA1

      f541fab60d482834e90638c5aebdefe3d997174e

    • SHA256

      6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c

    • SHA512

      38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

    Score
    10/10
    lokibotredline1006lyla2606collectiondiscoveryinfostealerspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks