Overview

overview

10

Static

static

1

Transferencia.pdf.lnk

windows7-x64

10

Transferencia.pdf.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27112024_1037_26112024_Transferencia.gz

  • Size

    1KB

  • Sample

    241127-mxgzvsxjgj

  • MD5

    aee1a042940ffb03651607b5e26e2f8b

  • SHA1

    c49bde96b5e5125409c2011fbe0895959046b4f5

  • SHA256

    eb2170acecff6ba21826cb400b90122f5a88c0086921f927eaa2b8b29fdf8f1f

  • SHA512

    802a42fc45fe9c6b683f48f47a2f34c9b88376b42297752acfd0f80f45c4b5a65dcd06d28665c1281d69c83a5b34114c08197d2bbaed73c6a6054c091659ee00

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.sodiumlaurethsulfatedesyroyer.com/tdtyhrxf/dfhsrarytrsagerfwearfwerfwerthdyttyfuiuoifjcghhbg/uhihtrgeytgefghdhjsdxghshnytrghdhfghsgb/sdfgdsh.exe

Extracted

Family

lokibot

C2

http://naturealmikaly.sytes.net:5338/sujfygidj/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Transferencia.pdf.lnk.lnk

    • Size

      2KB

    • MD5

      f979b032e2ff9982eb392528641b634c

    • SHA1

      47a8320cfa87be712554d29b9ad7ad83fee04370

    • SHA256

      5dc14e2aeea05c75894a451c65b43ddc7eb8c70c62ec4da968a2aeccdb52450c

    • SHA512

      3891b3b796c8b8ea5d1824a5cce9ec2201bd1ed61d1fbd8d0d561b4da51fab1cd2d865684fe2787ad1385ea529da376f083007059859206282ccbb3cf5ea9825

    Score
    10/10
    lokibotcollectiondiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks