Overview

overview

10

Static

static

1

PERMINTAAN...df.cmd

windows7-x64

10

PERMINTAAN...df.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e10d15bc55ed2a8307a27bc087fb472397adc319d6c382832a59941e81a9178

  • Size

    4KB

  • Sample

    241002-e7adrsxdrk

  • MD5

    1d4fa38b961cb5600416c583d35efe4e

  • SHA1

    5564cb9c6a398517334e3a58606d42365c2634bd

  • SHA256

    0e10d15bc55ed2a8307a27bc087fb472397adc319d6c382832a59941e81a9178

  • SHA512

    68e81bd6797ca71290a0b7f23b0a29bcca326f3da6127969f7785392157686ce66958ffe9baeb81f737b5870b9246f12217507f5ec8b9a3e8748375a3e9bd4a9

  • SSDEEP

    96:tawye5GQtBGp994XwatQJSDbgr3/bVDhm+mhqvyWciHEqWUGqlf:tHyRY0994XwDJM0bVFm+mm/UU7

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?s=am9ntjjw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.cmd

    • Size

      6KB

    • MD5

      854644dfd3e32033434d0338404c9a8f

    • SHA1

      f693fd34cef102901ebf389fd346e4e27fcbac2f

    • SHA256

      09a3bb4be0a502684bd37135a9e2cbaa3ea0140a208af680f7019811b37d28d6

    • SHA512

      9b5d79c99bf7d6d4ceaae0729c8036536a4514ebf19e40cf7e3870bf47346228c0ae1d025974a6adf4407501fad7e3edec7d0076474f2690c88c3a59b812fec6

    • SSDEEP

      192:rO2ENM8I0pZCaTFhv8YvBsYtFHkbaBuvl0MzT+L9XNZ:8XI0CaTFl8kB3kbD1XIdZ

    Score
    10/10
    lokibotcollectiondiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks