Overview

overview

10

Static

static

1

ORDEN DE C...df.lnk

windows7-x64

10

ORDEN DE C...df.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDEN DE COMPRA.pdf.lnk

  • Size

    2KB

  • Sample

    241127-wvwvnsvjb1

  • MD5

    9f96277bb641896447fe5b2ccf4388c3

  • SHA1

    2306e1fc3f45019bbd297e75a1162fe12a6c7f52

  • SHA256

    28557e17cc37aaa0834e1297b0c1345b489e7797daaa8ddf4feeab41cfc92934

  • SHA512

    570cdcb66469ca4f01e5a792b7242eaa947801402be0a9a9ce5adf9eb3f688860bba4bb3f03d3d54b53e0e9c4d4efd5a140ec93ccc31658c6e45ef351be99e70

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.sodiumlaurethsulfatedesyroyer.com/osingkjbxfd/agerfwearfwerfdfhsrarytrswerthdyttyfuiuoifjcghhbg/gefghdhjsdxghshnytrghdhfghsgbuhihtrgeyt/sdhtfjysdfhdyujujtryh3rthyer/gvndxfghs.exe

Extracted

Family

lokibot

C2

http://naturealmikaly.sytes.net:4409/aujfygidj/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      ORDEN DE COMPRA.pdf.lnk

    • Size

      2KB

    • MD5

      9f96277bb641896447fe5b2ccf4388c3

    • SHA1

      2306e1fc3f45019bbd297e75a1162fe12a6c7f52

    • SHA256

      28557e17cc37aaa0834e1297b0c1345b489e7797daaa8ddf4feeab41cfc92934

    • SHA512

      570cdcb66469ca4f01e5a792b7242eaa947801402be0a9a9ce5adf9eb3f688860bba4bb3f03d3d54b53e0e9c4d4efd5a140ec93ccc31658c6e45ef351be99e70

    Score
    10/10
    lokibotcollectiondiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks