General

  • Target

    PO-4147074_pdf.ace

  • Size

    668KB

  • Sample

    210421-mcgzwsad7x

  • MD5

    d181c261d57a6352733a68c37ec63472

  • SHA1

    14415af946546b03da77cd1f9931d47a91205269

  • SHA256

    141bb53e82f9d6e5e6707ee5305cef2b55ec1ae8ab0344e01dea7bdbea8c4d58

  • SHA512

    18cbe1a56926561b76a4e207decf404fd885470ce399c3b57513480a5e4f6d1dc4728ac125edd34ec53ebab7fcf2167338d5964c06c464878f675b6ee86187f8

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/7MPTLmOD4nAsj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PO-4147074_pdf.exe

    • Size

      690KB

    • MD5

      44843dd3330a3965f49c9be7f174858e

    • SHA1

      e07a307359ecfe63e6dd16c8c31aee4552822300

    • SHA256

      3a034fa5c2fe8254340a6d7fd68887fb925d0d4804758d60e87aac56e737cfa8

    • SHA512

      efdd3f775d4a3fe198130a0c52e3b994bb7198781a49d410ebb7a49b6ec9d8ad2aeed5c0e3ffa02477814658390bb6a5e1e7eff95c74b5b9ddcfa42ce990e81a

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks