General
-
Target
10092024_1840_09092024_Confirmation.docx.tar
-
Size
676KB
-
Sample
240910-xbac1aydrn
-
MD5
d150d5978cba44e9af5052e5f88bf247
-
SHA1
f6c3550177d4619f217ccf655351986f0019bbd8
-
SHA256
123e015d2cca29172525c587470b1a0e98f972824f93030b4d17684e7fe5f227
-
SHA512
d11d6ce413ea19c4869eddd0e758be6bd3376b60c9d79f5dc57060345f3bca516d7b089cd9b0f7acae4b1087a23b4965387e5269a4c6d769fbf852aa5d806cce
-
SSDEEP
12288:BBvukyixiAAwRuHwcwMBk3QEv2bUG15nBzZnGHrWa9bJ5Wna1fOW:BlYANRYwSYgx1HZnGn5Ma1fOW
Malware Config
Targets
-
-
Target
Confirmation.docx.exe
-
Size
1.3MB
-
MD5
cc457c86d15ea18546d9065f5ca4ee04
-
SHA1
66192064544af9b72ffd054ed8bde5aad95576c6
-
SHA256
59640b32fd4e89cd138da35df35473a554da351660e7b654610642433135032c
-
SHA512
0580495ce9856d5094cddd439fa2d4063b5e78d0d1af926259c45c72bda3ec357243c537474b8c8c390a8fe500de19ce2b3271896c779dccd0ccf980357f909a
-
SSDEEP
24576:ypCC3MJPg7zsOTpKwM4LNPprrwr6HSJAXv0E65vYZv/UdW3seBdZwq:hbg/Nhrsr6HSJSME6VXWzBkq
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1