General
-
Target
PERMINTAANANGGARANUniversitasIPBID177888pdf.vbs
-
Size
72KB
-
Sample
241002-a5g9dayejn
-
MD5
cf3ce0d565b919fe45d02705736fe824
-
SHA1
0924076c6434b432b18fd0b298a2b5b14e38b754
-
SHA256
96c1a11d9036afc58f65d8533f2c37b7fc64048e21bc60f28f0bb9311902e80f
-
SHA512
eb44246e1c25d9cfcb49f724f710b21432fb8fab17b1344c3af142ef5959542a01db052db1e02b8f9af1df07872d3508fa99718a95260440b450bcee035fc431
-
SSDEEP
1536:sTgvWHbK7HAM/TkMCV5i+8Q5+h+4C/hNGweE+f:sTgeMAITO8QS+lkf
Malware Config
Extracted
lokibot
http://137.184.191.215/index.php/check.php?s=am9ntjjw
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
PERMINTAANANGGARANUniversitasIPBID177888pdf.vbs
-
Size
72KB
-
MD5
cf3ce0d565b919fe45d02705736fe824
-
SHA1
0924076c6434b432b18fd0b298a2b5b14e38b754
-
SHA256
96c1a11d9036afc58f65d8533f2c37b7fc64048e21bc60f28f0bb9311902e80f
-
SHA512
eb44246e1c25d9cfcb49f724f710b21432fb8fab17b1344c3af142ef5959542a01db052db1e02b8f9af1df07872d3508fa99718a95260440b450bcee035fc431
-
SSDEEP
1536:sTgvWHbK7HAM/TkMCV5i+8Q5+h+4C/hNGweE+f:sTgeMAITO8QS+lkf
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-