Overview

overview

10

Static

static

1

Purchase O...md.exe

windows7-x64

10

Purchase O...md.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order 02.07.2024.PDF.cmd.exe

  • Size

    608KB

  • Sample

    240702-lbbehswbna

  • MD5

    f17d5a8b9a853e6f1647cfe74dfa8db8

  • SHA1

    86cf4eefa5867518636070d71ef8448d8901c880

  • SHA256

    64665200a953a20b6f2a51b1071469a1d4984432da6384b76cc2bd81bd66f85a

  • SHA512

    c44a70526ca1fa3ab1900ea7526fe3970ea9c24652bf8aa331b9f77d072605d68767dd00f0afefd6525e3f667922c202215fa8e76b87a12c20fc2106043a5f70

  • SSDEEP

    12288:UlrujSANT3ukfuZt1h/PyOgDvIZfcHgGc+4016Wm8+VWo2TtEtrddZN5/RqUQekR:UlqjFT3ukGrnPyPvI1cHg3WCVWLF

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.136.239/index.php/gyr.php?id=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Purchase Order 02.07.2024.PDF.cmd.exe

    • Size

      608KB

    • MD5

      f17d5a8b9a853e6f1647cfe74dfa8db8

    • SHA1

      86cf4eefa5867518636070d71ef8448d8901c880

    • SHA256

      64665200a953a20b6f2a51b1071469a1d4984432da6384b76cc2bd81bd66f85a

    • SHA512

      c44a70526ca1fa3ab1900ea7526fe3970ea9c24652bf8aa331b9f77d072605d68767dd00f0afefd6525e3f667922c202215fa8e76b87a12c20fc2106043a5f70

    • SSDEEP

      12288:UlrujSANT3ukfuZt1h/PyOgDvIZfcHgGc+4016Wm8+VWo2TtEtrddZN5/RqUQekR:UlqjFT3ukGrnPyPvI1cHg3WCVWLF

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks