General
-
Target
Shipping Documents.doc
-
Size
125KB
-
Sample
240528-hwhsjsbe49
-
MD5
058f5dd7756ab39d20629b5ad9db24ac
-
SHA1
1880da6d62657c1fa7fc0334caeecdf4af89a9fe
-
SHA256
6e2a43497c3aa3256186a8483c9b7190126f86d10f06a2c17620542d573c4cf1
-
SHA512
c8924e267cf6e0231c7d9982663cba2bceb1ab1be8a206b90e54ec6d2f9b360534da9d029fc3044ffd999840d4150c61f3c6930cf4c50ec9603fbcfb77cbe0fe
-
SSDEEP
1536:JwAlRkwAlRkwAlRkwAlRqTNvM/FceGxXf:JwAlawAlawAlawAlKNvKehxP
Malware Config
Extracted
lokibot
http://rocheholding.top/evie3/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Shipping Documents.doc
-
Size
125KB
-
MD5
058f5dd7756ab39d20629b5ad9db24ac
-
SHA1
1880da6d62657c1fa7fc0334caeecdf4af89a9fe
-
SHA256
6e2a43497c3aa3256186a8483c9b7190126f86d10f06a2c17620542d573c4cf1
-
SHA512
c8924e267cf6e0231c7d9982663cba2bceb1ab1be8a206b90e54ec6d2f9b360534da9d029fc3044ffd999840d4150c61f3c6930cf4c50ec9603fbcfb77cbe0fe
-
SSDEEP
1536:JwAlRkwAlRkwAlRkwAlRqTNvM/FceGxXf:JwAlawAlawAlawAlKNvKehxP
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-