General

  • Target

    Solicitud de presupuesto 09-30-2024·pdf.vbs

  • Size

    73KB

  • Sample

    241001-f8v8asshnp

  • MD5

    5cc7cf5b0814e2f80bad4c4e85831e96

  • SHA1

    93ed4011fc57034804feb5bd8ea61c6cf7b30cce

  • SHA256

    12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394

  • SHA512

    f9834c708ff8af1734b345f156d7abcebc8675f6e481fe65ac4512578d71cac11a3eba9779f2708a990858da9dce32c2e8416c967b77701991d7692393fa8c09

  • SSDEEP

    1536:s+0UNtNTLbVAumhqIkeF+3e+2Tyf4hHKMHAqLkf:s+5LfAFh62TS4hKf

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/10899

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Solicitud de presupuesto 09-30-2024·pdf.vbs

    • Size

      73KB

    • MD5

      5cc7cf5b0814e2f80bad4c4e85831e96

    • SHA1

      93ed4011fc57034804feb5bd8ea61c6cf7b30cce

    • SHA256

      12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394

    • SHA512

      f9834c708ff8af1734b345f156d7abcebc8675f6e481fe65ac4512578d71cac11a3eba9779f2708a990858da9dce32c2e8416c967b77701991d7692393fa8c09

    • SSDEEP

      1536:s+0UNtNTLbVAumhqIkeF+3e+2Tyf4hHKMHAqLkf:s+5LfAFh62TS4hKf

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks