Overview

overview

10

Static

static

3

Objednávk...va.exe

windows7-x64

10

Objednávk...va.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c80055b62b28467e50372ab681658a9596a1a6917011fcde22ddf912acaa3ec1

  • Size

    145KB

  • Sample

    250210-rwlc4svrcy

  • MD5

    847f5132480c94528870ab9460bce736

  • SHA1

    632df3d26505daadf4e88f0b82a2e2eba598249e

  • SHA256

    c80055b62b28467e50372ab681658a9596a1a6917011fcde22ddf912acaa3ec1

  • SHA512

    80f74d7a2d073b13d9696cc536b9764095e072f5b1beb76dddecafb0b28d3f0661a9d3c5404445460e1bb16d2f6a00fdfb309a1443c34f9442c64107f382655b

  • SSDEEP

    3072:kyqCipzPbydBma2BIH/EJE0Xm2KHMrrqu71lZZAyh1/6E:h/myIH22MMrmu7pZAy1

Score
10/10
lokibotadwarecollectiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://ddrtot.shop/New/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Objednávka_(PO208919)_Agropodnik_A.S_Trnava.exe

    • Size

      194KB

    • MD5

      e161e070cdc4f438c40c4cdc2326fa27

    • SHA1

      5777cc7b1cbdaf545bd38cb57eca9f5966b21171

    • SHA256

      a361358c79a61e6781d0ccd512d2fa7222bd2025346ca9494279c8072129d91f

    • SHA512

      2fc9bf43b31c868c1bf24d82ebe9f754a27187fc3b6bdb40a7592b0c46afd245c22ed425b1f9bb4515b7a5775b15b169588366d9b9bb0aee0902eb16dc7d0ba5

    • SSDEEP

      3072:KUPYPRLDfgZ27Y5+Mi6hDZIHxEpE0Xm2oHMrrqu71l3/rkF0:KUP0RXfKnrH22mMreu7n/w

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojanadwarepersistenceprivilege_escalation

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks