Overview

overview

10

Static

static

1

534eb483ce...28.hta

windows7-x64

10

534eb483ce...28.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    534eb483ce1b60f8fdaf67d6a9bbbe6b100247860f85706d2a0dbd86e55de528.hta

  • Size

    207KB

  • Sample

    241108-c75tkasnhz

  • MD5

    0bac7f117cbea0f1f91bbf5cbe2d1c7c

  • SHA1

    d93b06f8ad1f8398874c066ab3d63cdbce77d5bc

  • SHA256

    534eb483ce1b60f8fdaf67d6a9bbbe6b100247860f85706d2a0dbd86e55de528

  • SHA512

    431c8fa003e4948299d0cd255ff554f75987435c60894301f2a8dbb485d571bcda90734fdd84e29dcdcb5f177cecfb8e1d13d41e71b12c3b9275da5da84da529

  • SSDEEP

    96:43F97kMc4sQN+Mc4sQmpxNv5vEB6yackMc4sQtMc4sQ9i5AiMc4sQpQ:43F1kxm+x1pa6yapxYxui5AixyQ

Score
10/10
lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      534eb483ce1b60f8fdaf67d6a9bbbe6b100247860f85706d2a0dbd86e55de528.hta

    • Size

      207KB

    • MD5

      0bac7f117cbea0f1f91bbf5cbe2d1c7c

    • SHA1

      d93b06f8ad1f8398874c066ab3d63cdbce77d5bc

    • SHA256

      534eb483ce1b60f8fdaf67d6a9bbbe6b100247860f85706d2a0dbd86e55de528

    • SHA512

      431c8fa003e4948299d0cd255ff554f75987435c60894301f2a8dbb485d571bcda90734fdd84e29dcdcb5f177cecfb8e1d13d41e71b12c3b9275da5da84da529

    • SSDEEP

      96:43F97kMc4sQN+Mc4sQmpxNv5vEB6yackMc4sQtMc4sQ9i5AiMc4sQpQ:43F1kxm+x1pa6yapxYxui5AixyQ

    Score
    10/10
    defense_evasiondiscoveryexecutionlokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks