General

  • Target

    30092024_1242_29092024_PERMINTAAN ANGGARAN (Universitas IPB) ID177888.rar

  • Size

    32KB

  • Sample

    240930-pxdnjszepe

  • MD5

    6cfc2c072663cd8cf83452fffea0f1a4

  • SHA1

    513d4659c2a44ce344ae60948892eb52ced22d85

  • SHA256

    19fc1dd23605dac18b071693978f7a27fba7dc0e112ceb12b99a8b0334569f0a

  • SHA512

    18b1ccd2af1147c5d78d9a0d9c2a696e41490ed06f394f7fc67ea52fd1bc916da1441bde87826188c31bbf9cc7021d316260bb792f649ae81fa22aedefafdc28

  • SSDEEP

    768:us7lBVwt8IGMgLTjzTYTDnhQe6VISW6+Dd+Czr1D8w+s:vbKtfGMXHgId7dH5Jj

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?s=am9ntjjw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs

    • Size

      72KB

    • MD5

      cf3ce0d565b919fe45d02705736fe824

    • SHA1

      0924076c6434b432b18fd0b298a2b5b14e38b754

    • SHA256

      96c1a11d9036afc58f65d8533f2c37b7fc64048e21bc60f28f0bb9311902e80f

    • SHA512

      eb44246e1c25d9cfcb49f724f710b21432fb8fab17b1344c3af142ef5959542a01db052db1e02b8f9af1df07872d3508fa99718a95260440b450bcee035fc431

    • SSDEEP

      1536:sTgvWHbK7HAM/TkMCV5i+8Q5+h+4C/hNGweE+f:sTgeMAITO8QS+lkf

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks