General

  • Target

    bc6fe96306eb0dcd81bbe50db9e9996b01ca39b22efa79fce253d38532353051.doc

  • Size

    138KB

  • Sample

    240524-b3geqsgh36

  • MD5

    a19ff7526e4447064c95123087783231

  • SHA1

    28cd27bb7050fb4f5534f584b83ca3be90d64ac8

  • SHA256

    bc6fe96306eb0dcd81bbe50db9e9996b01ca39b22efa79fce253d38532353051

  • SHA512

    48fdf3b34fad1e18c44e252caf530ded20a595bf0442ea6d50b90b3d623674a5523cd03fbe37ee9268db3d0b22f2d256aa8f8514894188947174b2d0c3fea9fe

  • SSDEEP

    1536:6wAlRkwAlRkwAlRkwAlRqQD1vzq1VvkwoYOOG:6wAlawAlawAlawAlgQDdyVvzrO3

Malware Config

Extracted

Family

lokibot

C2

http://rocheholding.top/evie3/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      bc6fe96306eb0dcd81bbe50db9e9996b01ca39b22efa79fce253d38532353051.doc

    • Size

      138KB

    • MD5

      a19ff7526e4447064c95123087783231

    • SHA1

      28cd27bb7050fb4f5534f584b83ca3be90d64ac8

    • SHA256

      bc6fe96306eb0dcd81bbe50db9e9996b01ca39b22efa79fce253d38532353051

    • SHA512

      48fdf3b34fad1e18c44e252caf530ded20a595bf0442ea6d50b90b3d623674a5523cd03fbe37ee9268db3d0b22f2d256aa8f8514894188947174b2d0c3fea9fe

    • SSDEEP

      1536:6wAlRkwAlRkwAlRkwAlRqQD1vzq1VvkwoYOOG:6wAlawAlawAlawAlgQDdyVvzrO3

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks