Overview

overview

10

Static

static

3

Ordinediac...PS.exe

windows7-x64

10

Ordinediac...PS.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ordinediacquisto_PO102429_OFT_PUMPS.exe

  • Size

    204KB

  • Sample

    250217-n1y8zsymfs

  • MD5

    f04e54b14850e86d7079e75f9212d0af

  • SHA1

    f9ac755df86475a7bd6ec258f906df7bbaa5420b

  • SHA256

    ee8578ebf209462c50f37d8fceb524db53b5b97078aa0995c775133b8d3f9d64

  • SHA512

    bbc0f9c6c449bc39ac928e84421af5bb6f19402e144af9daf696a2395e4ccf2dd168cab5d6a8928c83a9925ea1f6b90ec55dc7bf7a6a3e41a0570538b8f3ab48

  • SSDEEP

    3072:DEa1A11XjI3flVMrbQfDJ1h0i1iZIHxEpE0Xm2oHMrrqu71l3/rkV0:jK19c5JB1MH22mMreu7n/g

Score
10/10
lokibotadwarecollectiondiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://ddrtot.shop/New/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Ordinediacquisto_PO102429_OFT_PUMPS.exe

    • Size

      204KB

    • MD5

      f04e54b14850e86d7079e75f9212d0af

    • SHA1

      f9ac755df86475a7bd6ec258f906df7bbaa5420b

    • SHA256

      ee8578ebf209462c50f37d8fceb524db53b5b97078aa0995c775133b8d3f9d64

    • SHA512

      bbc0f9c6c449bc39ac928e84421af5bb6f19402e144af9daf696a2395e4ccf2dd168cab5d6a8928c83a9925ea1f6b90ec55dc7bf7a6a3e41a0570538b8f3ab48

    • SSDEEP

      3072:DEa1A11XjI3flVMrbQfDJ1h0i1iZIHxEpE0Xm2oHMrrqu71l3/rkV0:jK19c5JB1MH22mMreu7n/g

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojanadwarepersistenceprivilege_escalation

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks