Overview

overview

10

Static

static

3

d3da082907...db.exe

windows7-x64

7

d3da082907...db.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3da082907c75a88393ad46bf337118da46abcefe4c6a245a5e586bf3ed727db.exe

  • Size

    362KB

  • Sample

    240810-b6gvnstgqc

  • MD5

    1120f2f46d81e2f15a7462d93ba6d08f

  • SHA1

    33ace7258f9451c62456f676a629fa1b46a4049f

  • SHA256

    d3da082907c75a88393ad46bf337118da46abcefe4c6a245a5e586bf3ed727db

  • SHA512

    5d1f99e14118dd0d74948c82f43350840cf393092db42cb0cba767b1ba33994db9f954ab82f7e01408a5354b821e6e574e1d8a2b698f229e7eae6e488edf6acb

  • SSDEEP

    6144:BMm4CCe7vZ10g7LU6pFMNADjG0AaoKLhtHRpbmEVDhgZOpSMCwHqK3Mwox8qOsgC:BMwZFvMN8GfY5fVlzY6quMiqhn

Score
10/10
guloaderlokibotcollectioncredential_accessdiscoverydownloaderspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/wp?edit=92441867177748

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      d3da082907c75a88393ad46bf337118da46abcefe4c6a245a5e586bf3ed727db.exe

    • Size

      362KB

    • MD5

      1120f2f46d81e2f15a7462d93ba6d08f

    • SHA1

      33ace7258f9451c62456f676a629fa1b46a4049f

    • SHA256

      d3da082907c75a88393ad46bf337118da46abcefe4c6a245a5e586bf3ed727db

    • SHA512

      5d1f99e14118dd0d74948c82f43350840cf393092db42cb0cba767b1ba33994db9f954ab82f7e01408a5354b821e6e574e1d8a2b698f229e7eae6e488edf6acb

    • SSDEEP

      6144:BMm4CCe7vZ10g7LU6pFMNADjG0AaoKLhtHRpbmEVDhgZOpSMCwHqK3Mwox8qOsgC:BMwZFvMN8GfY5fVlzY6quMiqhn

    Score
    10/10
    discoveryguloaderlokibotcollectioncredential_accessdownloaderspywarestealertrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      08de81a4584f5201086f57a7a93ed83b

    • SHA1

      266a6ecc8fb7dca115e6915cd75e2595816841a8

    • SHA256

      4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

    • SHA512

      b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

    • SSDEEP

      48:S46+/1TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mLofjLl:zHuPbOBtWZBV8jAWiAJCdv2CmeL

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      6e55a6e7c3fdbd244042eb15cb1ec739

    • SHA1

      070ea80e2192abc42f358d47b276990b5fa285a9

    • SHA256

      acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

    • SHA512

      2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

    • SSDEEP

      192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks