Overview

overview

10

Static

static

1

DHL Shipme...77.exe

windows7-x64

10

DHL Shipme...77.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C0R562463T7423695.eml

  • Size

    614KB

  • Sample

    240917-h1teva1aje

  • MD5

    2dfc82e8b4ade3c49711453a85043b9e

  • SHA1

    978965ef34473ceb3376fcc6ebe8d8f4cd240d23

  • SHA256

    f2823b58001e053543a31d78c60ecc2981906bd346859d7df4fdf83bd3179bc0

  • SHA512

    a327bf7974db538a10854c753b39afe346ce5d26a8e7ce2bf12f788aa9d8e7116559cc72d97f8209cee38baadc6f9b6c5da7a7ae5bdcdc72f7498d68e28a277d

  • SSDEEP

    12288:KLDQYdEmE+rVDJJ9+XZKVKTdj6Y776rqSdvYXa0lT8HxC21/RObwqDO4Oj:KL1dEerFL9uKOh6Y77FCgKugAwqDO42

Score
10/10
lokibotcollectioncredential_accessdiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.76.66.70/?s=posts?view=7tlrosk

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      DHL Shipment DOC_643040277.exe

    • Size

      474KB

    • MD5

      a5c4fe574a4f4c02bbacb8403e2af0c4

    • SHA1

      5f80d813fca3c8d2d07ddf036ffe00512f56ff3a

    • SHA256

      ca07a9e0cf3fda664abfb2ff32e6d5de3c596a93f57631b25fe6c6ae326c4315

    • SHA512

      d3c1ff9bb9aa5dc08fdbfcf3f9f1cb29cf11d5bbf71408789e673fe842e32a3df1c3ca7d25947f7dbee2d3114afb2aaff6bef7aa2b626ed8166843f7c81e6989

    • SSDEEP

      12288:1hc09rFtmnmmcnYXZB0xdBA3NOTRwNakPZuLhKOkR:15tm5qW0LTyjZuNKV

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks