Overview

overview

10

Static

static

3

795af0703a...57.exe

windows7-x64

10

795af0703a...57.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357.exe

  • Size

    512KB

  • Sample

    240530-bn5h1shb9y

  • MD5

    cff39149d540e851536383f64d5f5568

  • SHA1

    2cd49c6f28ecea254e22a75e3e77092a67d26774

  • SHA256

    795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357

  • SHA512

    0f3eb77eb9396ec5ec63fc166e12167bf651e433b5c7831935ed2c965eed85b94b9893e6d20d207473f126b273f60c4b6378859b85613cc630acd7c7b70a6ba6

  • SSDEEP

    12288:UidJS4V9ulMb8Z6j2B0TM4kQhrLO9rAq7BH7Q4a2Y4tS87W:5ScN4ZsvTM4DhXfIBUa17W

Score
10/10
formbooklokibotdn03collectionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

    • Target

      795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357.exe

    • Size

      512KB

    • MD5

      cff39149d540e851536383f64d5f5568

    • SHA1

      2cd49c6f28ecea254e22a75e3e77092a67d26774

    • SHA256

      795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357

    • SHA512

      0f3eb77eb9396ec5ec63fc166e12167bf651e433b5c7831935ed2c965eed85b94b9893e6d20d207473f126b273f60c4b6378859b85613cc630acd7c7b70a6ba6

    • SSDEEP

      12288:UidJS4V9ulMb8Z6j2B0TM4kQhrLO9rAq7BH7Q4a2Y4tS87W:5ScN4ZsvTM4DhXfIBUa17W

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojanformbookdn03rat

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks