General

  • Target

    rPedidodeOfertadePre__o_USP2307-17BR___pdf.exe

  • Size

    740KB

  • Sample

    230718-erc5qagb93

  • MD5

    45940981fe909cc104ec39b580478b4e

  • SHA1

    8e488051c1c83b3d2d907bfe44f091089a1fa02a

  • SHA256

    e315436194fc3393c84aac01a11d3bc646eba90cb6a1a103e60c1774bc7e2b4b

  • SHA512

    301f8da8ee665bc1de148f5dc2468702a5d0df20ef73ef80b40dcc09238c6fba93a0ac2e49ed0ebae3cb670e306ee4775878420096c7763127878f0179b2169b

  • SSDEEP

    12288:Tg9mdK89EERUXCS3rDsFYih//SZUnkdovlo1MfxmVISRfwelsIDS5pEA81ZM6:UmdK2naCqrwrh3xkd2x6gelQf2

Malware Config

Extracted

Family

lokibot

C2

http://138.68.56.139/?p=62556427884317

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      rPedidodeOfertadePre__o_USP2307-17BR___pdf.exe

    • Size

      740KB

    • MD5

      45940981fe909cc104ec39b580478b4e

    • SHA1

      8e488051c1c83b3d2d907bfe44f091089a1fa02a

    • SHA256

      e315436194fc3393c84aac01a11d3bc646eba90cb6a1a103e60c1774bc7e2b4b

    • SHA512

      301f8da8ee665bc1de148f5dc2468702a5d0df20ef73ef80b40dcc09238c6fba93a0ac2e49ed0ebae3cb670e306ee4775878420096c7763127878f0179b2169b

    • SSDEEP

      12288:Tg9mdK89EERUXCS3rDsFYih//SZUnkdovlo1MfxmVISRfwelsIDS5pEA81ZM6:UmdK2naCqrwrh3xkd2x6gelQf2

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks