General

  • Target

    Orden_Factura.7z

  • Size

    881B

  • Sample

    240229-mygqgsfb72

  • MD5

    c793b33d5bc92a685f7f10d4e446a17c

  • SHA1

    ddcbd03d25b0d23451f6f13475e00b4756ff6207

  • SHA256

    e082be83ef12ef9cba92c91709c6a505474762d1c526a1c40c32e7330090a4e9

  • SHA512

    d64444261843a9cd7f1d81326000e6f9168073d12628749fae69b2d206fe11d02a92f71c810e276c119b86a93b9e72b92f619ba92b9019c082770ebbffa05f0b

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://91.92.252.146:9007/mnof/server1.exe

Extracted

Family

lokibot

C2

http://91.92.252.146:8008/aioy/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Orden_Factura/Message.txt

    • Size

      38B

    • MD5

      a31128e6f4b78a43a543a52b93375fa8

    • SHA1

      a853abe9630cd94383ba6b90185d07453558c627

    • SHA256

      00c47d32acf4722533470a085740665c548ebf1a8165d8809a78a9a2f7b14437

    • SHA512

      4f2f096c0093ccffdd12999fcba697194d8d0abc55c8720112a3df5fafed5e453f1dbb86f9b3763db29297ac11bff6cb2aeb5ac6ede9019f99cf8db5c5ec893b

    Score
    1/10
    • Target

      Orden_Factura/Orden_Factura.lnk

    • Size

      2KB

    • MD5

      a1d9127fa9b5bb37b3ba986011a1e926

    • SHA1

      00027f3009ac0c39711cf0204bcda7782f7caa24

    • SHA256

      e5a57227ec0eabababdcbb01d0283d5ceafe4493188709884f7d14bd16f7f77d

    • SHA512

      d6ef2188855821487ffa7d062f6b091ee84aa6b05d6e55e09e9a632471c7b54bd7c0c1111894fcc741bd03422371626d99839d92c88e3047d1795049a7fec03b

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks