General

  • Target

    file

  • Size

    778KB

  • Sample

    201222-1q15g9yp8x

  • MD5

    0060a15187f5ba2ba56732c263c0d74b

  • SHA1

    1810d65e34e9f6d24e2e64a81be5ef0512775a95

  • SHA256

    5ca79547857ec5e312e44722cdb5f388dfbc1134b67b0b557e2d80fc4c671aa3

  • SHA512

    dead85ba9a7c33cf8853c8584a86555421e8c16c5bdaba3ccfe5e2a48308206d5777c24322b2306a1ae0c2e79384079337a463b32c566994fa9769c505e4e8f0

Malware Config

Extracted

Family

lokibot

C2

https://deqtmaysoor.com/jah/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      file

    • Size

      778KB

    • MD5

      0060a15187f5ba2ba56732c263c0d74b

    • SHA1

      1810d65e34e9f6d24e2e64a81be5ef0512775a95

    • SHA256

      5ca79547857ec5e312e44722cdb5f388dfbc1134b67b0b557e2d80fc4c671aa3

    • SHA512

      dead85ba9a7c33cf8853c8584a86555421e8c16c5bdaba3ccfe5e2a48308206d5777c24322b2306a1ae0c2e79384079337a463b32c566994fa9769c505e4e8f0

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader First Stage

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Tasks