General

  • Target

    86527ddc54f19b87b4c39279d96bead8f58a9961e0115d7ff12719b688f12df5.exe

  • Size

    337KB

  • Sample

    211201-wnt3haefdn

  • MD5

    7ff711fce0553fa21e4e305253d2018c

  • SHA1

    f06a20b3b4051b1a04282ac6f902d5f3a7263a61

  • SHA256

    86527ddc54f19b87b4c39279d96bead8f58a9961e0115d7ff12719b688f12df5

  • SHA512

    714e766e57424c693f24012044b582c681582cc86e65f6b22757baca0613a3f2a3a4d5c7766a8fde57a75fe3614fd21f9259f5ea5b1334064aa6fcd746f87a0a

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/bo/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      86527ddc54f19b87b4c39279d96bead8f58a9961e0115d7ff12719b688f12df5.exe

    • Size

      337KB

    • MD5

      7ff711fce0553fa21e4e305253d2018c

    • SHA1

      f06a20b3b4051b1a04282ac6f902d5f3a7263a61

    • SHA256

      86527ddc54f19b87b4c39279d96bead8f58a9961e0115d7ff12719b688f12df5

    • SHA512

      714e766e57424c693f24012044b582c681582cc86e65f6b22757baca0613a3f2a3a4d5c7766a8fde57a75fe3614fd21f9259f5ea5b1334064aa6fcd746f87a0a

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks