Overview

overview

10

Static

static

1

dbcbb51e8c...21.hta

windows7-x64

10

dbcbb51e8c...21.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a54bdd270a424ec79b735ef6b513c2e4.bin

  • Size

    3KB

  • Sample

    241120-byl5esxmes

  • MD5

    f3eee1a5a62c0eb3ccd2edbb375b9828

  • SHA1

    77da5f73e6432e7239df6a8b69bbc0845f6e84b1

  • SHA256

    8e25ac64044117f099abdf70d3d15f4c93a8225723c811ddca6f3711d5f7a55e

  • SHA512

    187ee50d58d62d554fda4a060b8a74433158ca9055b0fade1a63b9417a8214bb9fe5e3eeaf9603c94de9713e39bbc75d42516260a37df5d2c6950069017712c7

Score
10/10
lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta

    • Size

      178KB

    • MD5

      a54bdd270a424ec79b735ef6b513c2e4

    • SHA1

      465738a3e31b16ad80c44f3dc7bdd762e402cb51

    • SHA256

      dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

    • SHA512

      598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61

    • SSDEEP

      96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

    Score
    10/10
    lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks