Overview

overview

10

Static

static

3

pago-087.exe

windows7-x64

10

pago-087.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pago-087.exe

  • Size

    772KB

  • Sample

    240705-qsc2wsygnn

  • MD5

    e9b1be2e63fc218bd1207838612575ca

  • SHA1

    9bdea32b60dbd1166072774d75a3019417690b1c

  • SHA256

    9bc70a2e37123deefafa303ca59ea0dd304b17e2f0288b3b6730104da0e0f6f1

  • SHA512

    057171c9690bca3c7c711b24d310e2a373f4d2f1cd210296476c2c29ce162cedb21f8fd5f0987b09dae9e19e127f46114abe6141ac0ca8e26f49b5ee11e76d96

  • SSDEEP

    12288:xaMgwQk0407ft8pjs0pGBvxM/r9RKGqHmIdD+Z:gMwt2Y0MMz9RKHHF9K

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://ransomproducts.top/cj1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      pago-087.exe

    • Size

      772KB

    • MD5

      e9b1be2e63fc218bd1207838612575ca

    • SHA1

      9bdea32b60dbd1166072774d75a3019417690b1c

    • SHA256

      9bc70a2e37123deefafa303ca59ea0dd304b17e2f0288b3b6730104da0e0f6f1

    • SHA512

      057171c9690bca3c7c711b24d310e2a373f4d2f1cd210296476c2c29ce162cedb21f8fd5f0987b09dae9e19e127f46114abe6141ac0ca8e26f49b5ee11e76d96

    • SSDEEP

      12288:xaMgwQk0407ft8pjs0pGBvxM/r9RKGqHmIdD+Z:gMwt2Y0MMz9RKHHF9K

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      4d3b19a81bd51f8ce44b93643a4e3a99

    • SHA1

      35f8b00e85577b014080df98bd2c378351d9b3e9

    • SHA256

      fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

    • SHA512

      b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

    • SSDEEP

      192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      3eb4cd50dcb9f5981f5408578cb7fb70

    • SHA1

      13b38cc104ba6ee22dc4dfa6e480e36587f4bc71

    • SHA256

      1c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf

    • SHA512

      5a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324

    • SSDEEP

      96:+7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNv3e:QXhHR0aTQN4gRHdMqJVgNG

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks