Overview

overview

10

Static

static

3

04bcf38fe7...7f.exe

windows7-x64

7

04bcf38fe7...7f.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4123adc7fb7ebd593662bdf2c415afd6.bin

  • Size

    354KB

  • Sample

    240817-blqbbaydla

  • MD5

    f0fe60027807b4f404ac0bfb0444af04

  • SHA1

    918802ca8e10b9b20656ee3ff6f7e6d00fbbb1d8

  • SHA256

    1622b7a78bf26276fabcb4ef00eb29957bc70c76c97966922a51d26eb7b19503

  • SHA512

    ce4dd96794851366136f44a0d02bc2927d815067f1db89c1aaa7f07cadb770c4623ddb8088caf72a08125d3a54db50716dc5dfafdc4743048f2ae6dad453e054

  • SSDEEP

    6144:aN3aDKsjTdCC1EtcbZJ5f0nhHEIOA+npjYjZLSjYhkKG9Ri/bq5eio/QBHenf7on:apjQY6GmNfQhHPOAGjYFaYh26h/QiUBJ

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/wp?edit=92441867177748

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      04bcf38fe795bd3884ba28e2b28d7848cdaf880b057d9d8263629901220fdf7f.exe

    • Size

      522KB

    • MD5

      4123adc7fb7ebd593662bdf2c415afd6

    • SHA1

      9b429517289adb669897f3b8c9b5fd0f5be570d4

    • SHA256

      04bcf38fe795bd3884ba28e2b28d7848cdaf880b057d9d8263629901220fdf7f

    • SHA512

      29c6a850368b88bd40ef16b9ea018d4f8bb35bcbb254b82ec4e12e76e4613241184f2f8f31d142335c2230dc656841194a0fef8a4b4cebd11c9283c5322f5171

    • SSDEEP

      12288:KS4O7b4e/75hsekk5Ha8bBA2QK4Ym1yvdLXuzbJ:R49ez56u9DQKAeLGJ

    Score
    10/10
    discoverylokibotcollectioncredential_accessspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      af4324802813a5a897db2167fc10e291

    • SHA1

      916bd47457dcb4247743626e86492436b77bebf8

    • SHA256

      92cb3b3a7280246743543325d3fe9a7d72c63227f9540d25d5ef27b2ce8856b4

    • SHA512

      cb3e07c4558049634078808bd419860c6e2855a02bba79541cea80873fe6db58cf667a27c111521df09ef30f92c149736092c473fde28bbb5974be6d7ddab83c

    • SSDEEP

      48:qcjtDVP10LgQL8QRU8IlmWm7WmnuWK8hSemoMqG5QEv8sF9UwofMU:xVPFQIqlemWm7WmTaehG+Ekq

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      6c38da8922cc37b4bbb77de4a63ad843

    • SHA1

      4e0533fd11df8bddbd543ed58df7b6060d9f4631

    • SHA256

      1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1

    • SHA512

      ad0be3d7e57da9c304e9b9cac5341b6c76b157456ab44f5579d6c38c830a31c9c3e1e9a875b8f465243c607ea2ede6b0bb77237f17a70a4d4c78606e036c3430

    • SSDEEP

      192:wA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:QR7SrtTv53tdtTgwF4SQbGPX36g9Mw

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks