General
-
Target
P.O No.4036041334.doc
-
Size
512KB
-
Sample
250115-vtnx1ayqdt
-
MD5
d5c47c3c40110d31d71d47ebef9ba981
-
SHA1
f811b3cd634c20c39a42d758cf0ee5da16a73ab5
-
SHA256
14bc9eb88aeb83fb929a6e97225d7022f6a1919016a6722409903abd39e842a1
-
SHA512
db748f515ef27d8192132a156c84be0964089e95d0a0d5358e8b1902a35a96aeaf33d80358edc2a8defe3b5bd1dd0fd29d14ece361d5811f9a00206729e5d263
-
SSDEEP
6144:bwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwArsx1:7
Malware Config
Extracted
lokibot
http://94.156.177.41/alpha/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
P.O No.4036041334.doc
-
Size
512KB
-
MD5
d5c47c3c40110d31d71d47ebef9ba981
-
SHA1
f811b3cd634c20c39a42d758cf0ee5da16a73ab5
-
SHA256
14bc9eb88aeb83fb929a6e97225d7022f6a1919016a6722409903abd39e842a1
-
SHA512
db748f515ef27d8192132a156c84be0964089e95d0a0d5358e8b1902a35a96aeaf33d80358edc2a8defe3b5bd1dd0fd29d14ece361d5811f9a00206729e5d263
-
SSDEEP
6144:bwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwArsx1:7
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1