lokibot

Sharing

Copy URL

Twitter E-mail

General

Target

client.exe.zip
Size

9KB
Sample

241215-t734ea1rdl
MD5

781d60871b7567e08fdf43533408e09f
SHA1

ef0476c57634c04f02da0f4d762fc6f0c219119f
SHA256

a3c37478d879d20b7d6c392c70c0acdf0ed7ef4fba94578d9a5a9131b873831b
SHA512

38c640d4f9d3e64e3b088ae12bd7c75e43aaeb4448fbceec5e3d54d082254124519765f2ebf083534255f49cc0d8ce1116f509d616b114dd216de6cded977efd
SSDEEP

192:aUr8d+BYXkYvHF2UAmblJ5TcyN58iy1xknBpWQ+:aUgd8YUShAobTc+8NQp+

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Extracted

Family

lokibot

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

sound-vietnam.gl.at.ply.gg:52575

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

lumma

https://powerful-avoids.sbs/api

https://motion-treesz.sbs/api

https://disobey-curly.sbs/api

https://leg-sate-boat.sbs/api

https://story-tense-faz.sbs/api

https://blade-govern.sbs/api

https://occupy-blushi.sbs/api

https://frogs-severz.sbs/api

https://consort-slink.cyou/api

Extracted

Family

meduza

193.3.19.151

Attributes

anti_dbg
true
anti_vm
true
build_name
hellres
extensions
.txt; .doc; .xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Extracted

Family

redline

Botnet

fvcxcx

185.81.68.147:1912

Extracted

Family

metasploit

Version

metasploit_stager

176.122.27.90:8888

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  10KB
- MD5
  
  2a94f3960c58c6e70826495f76d00b85
- SHA1
  
  e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
- SHA256
  
  2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
- SHA512
  
  fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
- SSDEEP
  
  192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score

10^/10

lokibot quasar xworm office office04 collection discovery evasion execution persistence rat spyware stealer themida trojan lumma phorphiex loader worm
- Detect Xworm Payload
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  New Text Document mod.exe
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

meduza redline xworm fvcxcx collection credential_access discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx privilege_escalation
- Detect Xworm Payload
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  New Text Document mod.exse
- Size
  
  8KB
- MD5
  
  69994ff2f00eeca9335ccd502198e05b
- SHA1
  
  b13a15a5bea65b711b835ce8eccd2a699a99cead
- SHA256
  
  2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
- SHA512
  
  ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
- SSDEEP
  
  96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score

10^/10

meduza metasploit redline xworm fvcxcx backdoor collection credential_access discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx privilege_escalation
- Detect Xworm Payload
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6