General

  • Target

    BID INSTRUCTIONSCOMMERCIAL.exe

  • Size

    535KB

  • Sample

    210503-brqhceh2wn

  • MD5

    8bc942117444fafd1c484ba3c277d0b4

  • SHA1

    c7277325b1b9a5b2500198c2074e62523cd3135b

  • SHA256

    d4021060ba2ca5034165d5a2c735bdaa54bad25180ebf0f8e0c6d5f6af69e18e

  • SHA512

    8a2291d14da2e42f82e25414b9ac09c549ee1daa377bbbbdd61b276541a29fbe4a6a1cbf95673d8bb777ff66b9feb8b7a437a8555aa063b5af2732758158af41

Malware Config

Extracted

Family

lokibot

C2

http://104.168.175.179/ghost/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      BID INSTRUCTIONSCOMMERCIAL.exe

    • Size

      535KB

    • MD5

      8bc942117444fafd1c484ba3c277d0b4

    • SHA1

      c7277325b1b9a5b2500198c2074e62523cd3135b

    • SHA256

      d4021060ba2ca5034165d5a2c735bdaa54bad25180ebf0f8e0c6d5f6af69e18e

    • SHA512

      8a2291d14da2e42f82e25414b9ac09c549ee1daa377bbbbdd61b276541a29fbe4a6a1cbf95673d8bb777ff66b9feb8b7a437a8555aa063b5af2732758158af41

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks