General

  • Target

    po.exe

  • Size

    535KB

  • Sample

    210503-kf9fsneacs

  • MD5

    6c0c7128e3673edf9a8fb128a45a319e

  • SHA1

    1f70c7daa4b2bee51f7a5e2a7315a8c54b606700

  • SHA256

    81c772e7c3443e928084c9c25b4b7a31002dbac9c4c977eeace73dd721243317

  • SHA512

    fea221bf11629ba5cb44be79a9cd6fbefdc22aa25d98187f6b2d3a4bb0d50db9c24cab93f85c00d9cc3a3e3affe22d2acb16282bcdb9fc913ea757cd97dd5c6d

Malware Config

Extracted

Family

lokibot

C2

http://104.168.175.179/ghost2/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      po.exe

    • Size

      535KB

    • MD5

      6c0c7128e3673edf9a8fb128a45a319e

    • SHA1

      1f70c7daa4b2bee51f7a5e2a7315a8c54b606700

    • SHA256

      81c772e7c3443e928084c9c25b4b7a31002dbac9c4c977eeace73dd721243317

    • SHA512

      fea221bf11629ba5cb44be79a9cd6fbefdc22aa25d98187f6b2d3a4bb0d50db9c24cab93f85c00d9cc3a3e3affe22d2acb16282bcdb9fc913ea757cd97dd5c6d

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks