General

  • Target

    SOLICITUDDEPEDIDOUniversidadedeSoPauloUSP09302024pdf.vbs

  • Size

    78KB

  • Sample

    241001-pwqlqatepg

  • MD5

    8de3bba9fb959d08b3719f1281957c56

  • SHA1

    b8132af0e02ecb58c3c3eb39fe919e3b805106cf

  • SHA256

    c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25

  • SHA512

    8024de858f6d4ec08728944183309650f3f0a7fdc7e83eee53852d00efc37f845ff03bbca42ccd0284282e29c38937a82004bf1b8c3ce439ccc93714fa02f93c

  • SSDEEP

    1536:sUjz/4d4EMT6SUAQZWwGcKQeH+4my6lGiYeJztAxUCDYf:sUjsLAgWO4mF1YhQf

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?s=am9ntjjw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SOLICITUDDEPEDIDOUniversidadedeSoPauloUSP09302024pdf.vbs

    • Size

      78KB

    • MD5

      8de3bba9fb959d08b3719f1281957c56

    • SHA1

      b8132af0e02ecb58c3c3eb39fe919e3b805106cf

    • SHA256

      c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25

    • SHA512

      8024de858f6d4ec08728944183309650f3f0a7fdc7e83eee53852d00efc37f845ff03bbca42ccd0284282e29c38937a82004bf1b8c3ce439ccc93714fa02f93c

    • SSDEEP

      1536:sUjz/4d4EMT6SUAQZWwGcKQeH+4my6lGiYeJztAxUCDYf:sUjsLAgWO4mF1YhQf

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks