Extracted

• • Target

    6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd

  • Size

    3.1MB

  • MD5

    a7ecf2d80475a31c10bfdddd8c060548

  • SHA1

    f2b81ba9aa32b39fa41558f67d2627ab3da72f29

  • SHA256

    6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc

  • SHA512

    64b26683677f636eaf632f11d3f9d6d7502ab17a3b102fffc66c846b53d017f2dd09c5e42bbaa7e3d07a7a98f26909cccb41a746ba520a3a9b9dce43bf7a55a5

  • SSDEEP

    24576:eIQFfxaplqwu8YYDEWRRm0Dxb3n7o3quNeHt2T6IPGKhCNwPmOyEC5p+gP3m0nlL:eIq5a/h5YYDEcRm0D53UYHQ6hcm5ECR

  Score

  10^/10

  discoverylokibotmodiloadercollectioncredential_accesspersistencespywarestealertrojan

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • ModiLoader Second Stage

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2