Overview

overview

10

Static

static

1

5c7f1d6ac7...c8.hta

windows7-x64

10

5c7f1d6ac7...c8.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    43f15554d66e784d988aa2da3ed2a136.bin

  • Size

    3KB

  • Sample

    241117-bhbzhsxjgt

  • MD5

    8be2dae548cad83ba4a1fea4bd46fb50

  • SHA1

    15e18eb65ba794fbaedb63c2edd7c796f342db96

  • SHA256

    8da516a999c148cb941c62d31b0f7975999bc93466149fc42714c2aff307cd70

  • SHA512

    865fde43c382fc4a1bcf33ee092a44fc86e1954ab3150ca244a3435371ff8025b6d8776b22d9f9be78016c308b2293e5788ebabf9eb3be851b9a60ab1ae5599e

Score
10/10
lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8.hta

    • Size

      178KB

    • MD5

      43f15554d66e784d988aa2da3ed2a136

    • SHA1

      6d0fb362a8aa62a046e25435e6a525e2ca61492d

    • SHA256

      5c7f1d6ac7671a1b1764dba808cf52f5c5c48ce1cbd0f1c16d8f6cf0afe5d3c8

    • SHA512

      2c06f6a513bd10d648dfec384fc1056b0e8f39a830e0671f9098961076de61ac7db5e0dc7724a7ffd403a4769b90324aeb785d0b16c13dfe7dd24342a9460cd9

    • SSDEEP

      96:4vCl17J1YiZVGTVy1YiZQGTVMFxfwVXNewJrC1YiZo1YiZDjGTVs1YiZkQ:4vCldfhjGTOheGTqHwShohxjGTYhuQ

    Score
    10/10
    defense_evasiondiscoveryexecutionlokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks