General
-
Target
win32.exe
-
Size
264KB
-
Sample
200908-pgj23a6kq6
-
MD5
aee8a4f7de7a199cc9a7d5cfbc3e11d9
-
SHA1
cd6c91aa00c6cf69573fb156198b6afb44a5a6e6
-
SHA256
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
-
SHA512
7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e
Malware Config
Extracted
lokibot
http://joovy.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
win32.exe
-
Size
264KB
-
MD5
aee8a4f7de7a199cc9a7d5cfbc3e11d9
-
SHA1
cd6c91aa00c6cf69573fb156198b6afb44a5a6e6
-
SHA256
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
-
SHA512
7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops Chrome extension
-