General

  • Target

    KAi3qCkCrMADbj2.exe

  • Size

    625KB

  • Sample

    210511-b63el78fzx

  • MD5

    534e325601d10023ace9461ad5051f74

  • SHA1

    45510f38a9ea49b6723b84084bb8aeccf5cd7bee

  • SHA256

    417a33c2d1b075159eb78934740620abac3e12b838b7d5c035fef9306f5a598f

  • SHA512

    c027a28df0de321547ca2eff066421b1a0b9fa2412eae9791bd8a4d93c7103b233a7fb493fc2072aee7986905e6d109bd9e99f263b98f29736a75e38720e24e5

Malware Config

Extracted

Family

lokibot

C2

http://173.208.204.37/k.php/7MPTLmOD4nAsj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      KAi3qCkCrMADbj2.exe

    • Size

      625KB

    • MD5

      534e325601d10023ace9461ad5051f74

    • SHA1

      45510f38a9ea49b6723b84084bb8aeccf5cd7bee

    • SHA256

      417a33c2d1b075159eb78934740620abac3e12b838b7d5c035fef9306f5a598f

    • SHA512

      c027a28df0de321547ca2eff066421b1a0b9fa2412eae9791bd8a4d93c7103b233a7fb493fc2072aee7986905e6d109bd9e99f263b98f29736a75e38720e24e5

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks