General

  • Target

    92603af1152244669c1d987d267d54f1PAGO_PL73103000190108400402533221_20211.gz

  • Size

    228KB

  • Sample

    211028-v8236sggdl

  • MD5

    02e9e3aad0d2814f47983355c82f8ed2

  • SHA1

    0e4a211e9e4716354a53bbb9be73726e336b3ac2

  • SHA256

    7c8f7820cd056542d0d592f022ff46ef49334bbbec9654799ccd19fbb4ee3284

  • SHA512

    ed781eaac2077cd6f74115aca44ebd3bbc571c97cabb45b3d6a3d3fac0f4105ac246545e31dca2431fa8f2ac58172a3458e3a23eac4b1f85e3892cdf2c3aa8cd

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/ga19/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      92603af1152244669c1d987d267d54f1PAGO_PL73103000190108400402533221_20211..exe

    • Size

      241KB

    • MD5

      efaddcab3e1a1e1f8e557c50d8c70125

    • SHA1

      b365aae4cc416c0b18c067d4c55ed0e32d6b752e

    • SHA256

      95657208e2889560b9cd735a6bd98f99b817db9a7a2f7535dabec2193866103f

    • SHA512

      2528fb4b25a6e527312d5e979e5153f1634d4984d1b3204278e4ae59dbb8f6cc9ae68ff5268fbc1ae03ff7f535aadb2835ae778f6f3ee7ce92f497dce840265b

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks