General
-
Target
6222cb86d552b27cabb9f54dda289fce3ab253862c6ab764d55b14a1f44b1ca0.doc
-
Size
739KB
-
Sample
241024-b15pjsycpg
-
MD5
70ca4da4999e3a0c6255c2608cea91c1
-
SHA1
e66fe0890d9487d3793f099d0c6752cef725d800
-
SHA256
6222cb86d552b27cabb9f54dda289fce3ab253862c6ab764d55b14a1f44b1ca0
-
SHA512
f9b3fa3f531eabdd7fdb3c4fb17960ec7d9520328f0aeec0fda763588298f7c1c1783b74b864d19b89c2e7959c5c1a6e5bef3b0052d9963aed81169617a062eb
-
SSDEEP
6144:9wAYwAYwAYwAYwAYwAYwAYwAwLdsVVjlq9ZrphGaId3jW5HkylNirp1:a
Malware Config
Extracted
lokibot
http://94.156.177.220/skipo/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
6222cb86d552b27cabb9f54dda289fce3ab253862c6ab764d55b14a1f44b1ca0.doc
-
Size
739KB
-
MD5
70ca4da4999e3a0c6255c2608cea91c1
-
SHA1
e66fe0890d9487d3793f099d0c6752cef725d800
-
SHA256
6222cb86d552b27cabb9f54dda289fce3ab253862c6ab764d55b14a1f44b1ca0
-
SHA512
f9b3fa3f531eabdd7fdb3c4fb17960ec7d9520328f0aeec0fda763588298f7c1c1783b74b864d19b89c2e7959c5c1a6e5bef3b0052d9963aed81169617a062eb
-
SSDEEP
6144:9wAYwAYwAYwAYwAYwAYwAYwAwLdsVVjlq9ZrphGaId3jW5HkylNirp1:a
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1