Overview

overview

10

Static

static

1

Potrditev.cmd

windows7-x64

7

Potrditev.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c37109d5225709d11a36989b91b769d00264f719b98c357f7014fe02ad7dd17e

  • Size

    764KB

  • Sample

    240804-w9ff8swgqe

  • MD5

    4606821b05a032cc81c57a94e1d950ea

  • SHA1

    ed08181d0669ab284206b68f162b9b309449e772

  • SHA256

    c37109d5225709d11a36989b91b769d00264f719b98c357f7014fe02ad7dd17e

  • SHA512

    ae9d5f7d0fdebfca2cbf5f46323b166f2e3a40fce9d6218db46487f7cb3d93983db49200401875fb245636e6210173dbb6e5c2ba4855fd79c53d1d5fd17c83bd

  • SSDEEP

    12288:2PdJ9pyuWvg76lM4WWC/x5qQSTG3Z65fEHyM5HLyXkZwctzLnGDzWxF0ALJV+Ei+:SHvyuWvg76Mx4ep65gJ5HWhctzLnGDzS

Score
10/10
lokibotmodiloadercollectioncredential_accessdiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Potrditev.cmd

    • Size

      2.8MB

    • MD5

      306e6e3743666b8f5fedb0127b041883

    • SHA1

      53ac1756ee69296be5f5c99ee18b1d1cb70369d4

    • SHA256

      20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc

    • SHA512

      233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1

    • SSDEEP

      24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B

    Score
    10/10
    discoverylokibotmodiloadercollectioncredential_accesspersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks