Overview

overview

10

Static

static

3

Pirkuma pa...ic.iso

windows7-x64

3

Pirkuma pa...ic.iso

windows10-2004-x64

3

out.iso

windows7-x64

1

out.iso

windows10-2004-x64

1

Pirkuma pa...ic.exe

windows7-x64

10

Pirkuma pa...ic.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pirkuma pasūtījums_(PO980043)_CNC Baltic.iso

  • Size

    700KB

  • Sample

    241021-lv78la1cml

  • MD5

    0c70f564396d55d8c3da4276c80f724f

  • SHA1

    ae3cb5864c5bea73564cad83aa35fc593641ac6d

  • SHA256

    08694095beeaca20a7868cf9d157043ce171f69b0153eacf3a4effc9a6da24ad

  • SHA512

    983fed1ff80313b9d5bb7fb2f0dc026899a4aa9c414a3545bb9b6880f95524d0791a644de4696955e39dfcf07179acafc25d253a6034f19a429b818f878ffa27

  • SSDEEP

    12288:VKry2/qZXzmowxht2fxyIL1COZLv4wkZzE96Ghz1X0aiyIWA1X1:Ury2uXzmH92fxjJCOvxsA96+a4A51

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://dddotx.shop/Mine/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Pirkuma pasūtījums_(PO980043)_CNC Baltic.iso

    • Size

      700KB

    • MD5

      0c70f564396d55d8c3da4276c80f724f

    • SHA1

      ae3cb5864c5bea73564cad83aa35fc593641ac6d

    • SHA256

      08694095beeaca20a7868cf9d157043ce171f69b0153eacf3a4effc9a6da24ad

    • SHA512

      983fed1ff80313b9d5bb7fb2f0dc026899a4aa9c414a3545bb9b6880f95524d0791a644de4696955e39dfcf07179acafc25d253a6034f19a429b818f878ffa27

    • SSDEEP

      12288:VKry2/qZXzmowxht2fxyIL1COZLv4wkZzE96Ghz1X0aiyIWA1X1:Ury2uXzmH92fxjJCOvxsA96+a4A51

    Score
    3/10
    behavioral1behavioral2

    • Target

      out.iso

    • Size

      700KB

    • MD5

      0c70f564396d55d8c3da4276c80f724f

    • SHA1

      ae3cb5864c5bea73564cad83aa35fc593641ac6d

    • SHA256

      08694095beeaca20a7868cf9d157043ce171f69b0153eacf3a4effc9a6da24ad

    • SHA512

      983fed1ff80313b9d5bb7fb2f0dc026899a4aa9c414a3545bb9b6880f95524d0791a644de4696955e39dfcf07179acafc25d253a6034f19a429b818f878ffa27

    • SSDEEP

      12288:VKry2/qZXzmowxht2fxyIL1COZLv4wkZzE96Ghz1X0aiyIWA1X1:Ury2uXzmH92fxjJCOvxsA96+a4A51

    Score
    1/10
    behavioral3behavioral4

    • Target

      Pirkuma pasūtījums_(PO980043)_CNC Baltic.exe

    • Size

      638KB

    • MD5

      119e26f5363c912425224601b8bf2755

    • SHA1

      44cf0f1a82b4109854924c0ab1c34fcb7b75235b

    • SHA256

      77f4283a7201b2325f301224b6977e69e340ae21b9221f31272e30e03522137a

    • SHA512

      26154db4369cd1bf563d46004a4cd9ca1ccee682482d02c43c51bdb0d3e6a40346b49a567be52495b92878be349df0d6cd6e23030e5482b1b445264263c78183

    • SSDEEP

      12288:2Kry2/qZXzmowxht2fxyIL1COZLv4wkZzE96Ghz1X0aiyIWA1X1j:Rry2uXzmH92fxjJCOvxsA96+a4A51j

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks