General
-
Target
c92a29ffe704fd01df9832b221781fe8cafef9fcd125fb380227571cd94df921.doc
-
Size
164KB
-
Sample
240511-cavx4ahc74
-
MD5
a9c19478afbe4b0cfef5909bfe3ea1f7
-
SHA1
156096e4a1afa49747fd177ebe3bf744103d58cc
-
SHA256
c92a29ffe704fd01df9832b221781fe8cafef9fcd125fb380227571cd94df921
-
SHA512
cdb53484d8f7d1e934ec35c067a30bc8ab40068f197921403cce6ffcdae05e1e3588fc1c57fa155c776338cbb00a54638f39b76ce795152fb66e5da996db11f2
-
SSDEEP
3072:VwAlawAlawAlawAlawAlawAlPmtIwDdVN03czX/:VwAYwAYwAYwAYwAYwArwDdVN6czX/
Malware Config
Extracted
lokibot
http://195.123.211.210/evie1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
c92a29ffe704fd01df9832b221781fe8cafef9fcd125fb380227571cd94df921.doc
-
Size
164KB
-
MD5
a9c19478afbe4b0cfef5909bfe3ea1f7
-
SHA1
156096e4a1afa49747fd177ebe3bf744103d58cc
-
SHA256
c92a29ffe704fd01df9832b221781fe8cafef9fcd125fb380227571cd94df921
-
SHA512
cdb53484d8f7d1e934ec35c067a30bc8ab40068f197921403cce6ffcdae05e1e3588fc1c57fa155c776338cbb00a54638f39b76ce795152fb66e5da996db11f2
-
SSDEEP
3072:VwAlawAlawAlawAlawAlawAlPmtIwDdVN03czX/:VwAYwAYwAYwAYwAYwArwDdVN6czX/
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-