General

  • Target

    3ec27e7b95a43db7d79fa8a011c09bd9bcb0ef97f5f114b0de2b471e4805fc9d.exe

  • Size

    1012KB

  • Sample

    210113-6ffx6l3ae2

  • MD5

    6f2f63ea2779ce7e0c6f7b662b3deeae

  • SHA1

    90407553e2142f7f6c73e22ebd8e147d00c0ddc5

  • SHA256

    3ec27e7b95a43db7d79fa8a011c09bd9bcb0ef97f5f114b0de2b471e4805fc9d

  • SHA512

    fa639e204bfc141990a4089c04b8c8ffce3a85c584868365e7176b6b9a54058e0e6c4d85242cbecfea509c2907c5587f8e800b8378c2949e9bc258771e9d8168

Malware Config

Extracted

Family

lokibot

C2

http://185.206.215.56/morx/1/cgi.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3ec27e7b95a43db7d79fa8a011c09bd9bcb0ef97f5f114b0de2b471e4805fc9d.exe

    • Size

      1012KB

    • MD5

      6f2f63ea2779ce7e0c6f7b662b3deeae

    • SHA1

      90407553e2142f7f6c73e22ebd8e147d00c0ddc5

    • SHA256

      3ec27e7b95a43db7d79fa8a011c09bd9bcb0ef97f5f114b0de2b471e4805fc9d

    • SHA512

      fa639e204bfc141990a4089c04b8c8ffce3a85c584868365e7176b6b9a54058e0e6c4d85242cbecfea509c2907c5587f8e800b8378c2949e9bc258771e9d8168

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks