General

  • Target

    Avery Dennison 873311 MCH..doc

  • Size

    64KB

  • Sample

    240314-fm3p9add62

  • MD5

    4b4d5065ec14383016d7730c1c8c6b38

  • SHA1

    6d6869d87b6ffd24d1374cc0f83b6e6d5f5eed52

  • SHA256

    4989f0bfd201ba820a8ee658ca5cc3c89812bc7540d7ce3bf22e48b7873a0306

  • SHA512

    412c8e5a259c2c21d990741412437ed377cb8629a9a3cce3c8222d2141a15fb1ceacc7f58d3f3a6d19e452962f2ca84c35943f6a8a677ba23037395435a89cca

  • SSDEEP

    768:GwAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjaomZK1otuhXlV96Oj5e:GwAlRkwAlRkwAlRPvvwVV9le

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c11/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Avery Dennison 873311 MCH..doc

    • Size

      64KB

    • MD5

      4b4d5065ec14383016d7730c1c8c6b38

    • SHA1

      6d6869d87b6ffd24d1374cc0f83b6e6d5f5eed52

    • SHA256

      4989f0bfd201ba820a8ee658ca5cc3c89812bc7540d7ce3bf22e48b7873a0306

    • SHA512

      412c8e5a259c2c21d990741412437ed377cb8629a9a3cce3c8222d2141a15fb1ceacc7f58d3f3a6d19e452962f2ca84c35943f6a8a677ba23037395435a89cca

    • SSDEEP

      768:GwAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjaomZK1otuhXlV96Oj5e:GwAlRkwAlRkwAlRPvvwVV9le

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks