General
-
Target
New purchase Order.doc
-
Size
770KB
-
Sample
250327-rxzl5atsgw
-
MD5
79913bcff17faf8ec7eac8d8553ee8bb
-
SHA1
d0e104625f5ce6920702d8f45f82997a96dccbbe
-
SHA256
df99debc91fb1a360db43855f0236350d54eae2def5a5bc6f58d15bfde965859
-
SHA512
472241ba3a47d784d69075e9b5611033649815229913fb685fae12c8db69c62f923d44ce82eafb9a9715afb03ed1387ee23ff4e48cdb95cf699d621f57b60224
-
SSDEEP
6144:+wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAc:/
Malware Config
Extracted
lokibot
http://94.156.177.41/alpha/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
New purchase Order.doc
-
Size
770KB
-
MD5
79913bcff17faf8ec7eac8d8553ee8bb
-
SHA1
d0e104625f5ce6920702d8f45f82997a96dccbbe
-
SHA256
df99debc91fb1a360db43855f0236350d54eae2def5a5bc6f58d15bfde965859
-
SHA512
472241ba3a47d784d69075e9b5611033649815229913fb685fae12c8db69c62f923d44ce82eafb9a9715afb03ed1387ee23ff4e48cdb95cf699d621f57b60224
-
SSDEEP
6144:+wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAc:/
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1