General

  • Target

    NewOrder.zip

  • Size

    524KB

  • Sample

    241022-v5nrdawgmc

  • MD5

    2ba45f05a335d1b1740d1401bcebad39

  • SHA1

    7b87a171da03b1ca8248e7e2e4a203b258e79f16

  • SHA256

    2592c99ac5bbdbad03df7ea4f754bdf4f6c9180502e5d93f59cb25d4f317e1e2

  • SHA512

    6dbb52b4ddf304d1827e9f0ca4d38e9489950dbba7c752d412b7f011eca8c702de43ce16c77b5ba772fcae32c145483ebc79be3d4dc06e885a05e88575067656

  • SSDEEP

    12288:xt7iLdfmCiPIZDKzxW3rfjQo6t/SBQ1XRE434p/MOWAJZpQEF5kIowfG:xtuLdONPODkof0o69XECUiaWIffG

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.220/skipo/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      New Order.exe

    • Size

      538KB

    • MD5

      fed5b3d1972774645a11685a33140e28

    • SHA1

      c9ea3cdc9f537fe50088c07c239c69dea4456ddc

    • SHA256

      15582393b01b6c64d16d7c573cec24dc00954c1faede0dc69777a1caa9757f7d

    • SHA512

      5682fcc7f55a8915dceeda6ce0b6cb60f993987c2631c7b4024d6afc78cd94cc345561e59ac15df2fe9511a92736ef387354f703287ac1326d9da694ee269680

    • SSDEEP

      12288:V9BvctM85t35JPNJj2WzoRLQYRYzmYcwbzbpFMQWaJZpQEB52oSwc3:VD0tM85tbNJjldeYiYpi+so1c3

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Accesses Microsoft Outlook profiles

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks