General

  • Target

    22052024_1252_22052024_Swift_FCP240522532.PDF.zip

  • Size

    499KB

  • Sample

    240522-p4ejescb3y

  • MD5

    7186e5f344dd2f9877e16b404db416a5

  • SHA1

    6d5c7eea5e3f4a64a1a6c3b7194a3037dd7d5463

  • SHA256

    0eaed36cd55d9f368c68e37ca4f22e6504dcd035374214b5841a4cc7fc85229f

  • SHA512

    7acdc20e2ee126151fe72acd9031cdb1ad83d37bd2059669b6d9810d5d6d994d408a2ff2d23f100132cd9ab9a7f61cb265bd69250d196421565b65ac4287d9fd

  • SSDEEP

    12288:8gbELUh0WgZbs0CYYRegv/M1Kx5BPKYcbzvepe:8jQqWgB5yj01I5BPKvbrH

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

    • Target

      Swift_FCP240522532.PDF.exe

    • Size

      524KB

    • MD5

      3911e099bed114b7417378e2dbe079d1

    • SHA1

      00fea996bbff2b686a0b3e275d536babacefc0af

    • SHA256

      e9e09c2f8031763a0c8494d500bd28ca3adc87d5f700111255db99f8142f2933

    • SHA512

      55630fbf32fb702185fbc3f6adee9f5775e6e91c0c1bf9e448d7506ebed15852970946d856d9dd399f0b12da3f0a97a05c6c2803a4546e8a034e8f89eeb3694b

    • SSDEEP

      12288:7EELYhiWgZlgyCGYRe6v/M1Kx5pPKYcfzvw:oEskWgDDyb01I5pPKvfr

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks