General

  • Target

    7c6df6ee9bfa7763e0a73747a49d26dcc2d4cfa59c5bae0394a57475b0ef11b8.exe

  • Size

    304KB

  • Sample

    211104-n8y8ysgee9

  • MD5

    e5d3c34fe856e1c446f1e475dd234af6

  • SHA1

    bb86dede95bee535bd99a00004904359bdea2bde

  • SHA256

    7c6df6ee9bfa7763e0a73747a49d26dcc2d4cfa59c5bae0394a57475b0ef11b8

  • SHA512

    5c3f93557874cb8393f042a9337f1446ac46d760f347be8b247a6c2b06cd299ff19b08affebd0d01f88c780b94fd687db3e2f710bc7cb94c8895228cd5a5a7d8

Malware Config

Extracted

Family

lokibot

C2

http://74f26d34ffff049368a6cff8812f86ee.ml/BN22/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      7c6df6ee9bfa7763e0a73747a49d26dcc2d4cfa59c5bae0394a57475b0ef11b8.exe

    • Size

      304KB

    • MD5

      e5d3c34fe856e1c446f1e475dd234af6

    • SHA1

      bb86dede95bee535bd99a00004904359bdea2bde

    • SHA256

      7c6df6ee9bfa7763e0a73747a49d26dcc2d4cfa59c5bae0394a57475b0ef11b8

    • SHA512

      5c3f93557874cb8393f042a9337f1446ac46d760f347be8b247a6c2b06cd299ff19b08affebd0d01f88c780b94fd687db3e2f710bc7cb94c8895228cd5a5a7d8

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks