General

  • Target

    DC9095857497494.BAT

  • Size

    1MB

  • Sample

    211206-k97pyaged9

  • MD5

    69e50153619ce219aa8b526cc8c6cb1d

  • SHA1

    7a5429ca50ce7d5cc462a0d26127a179259113d6

  • SHA256

    4f68d7352e104d5eac36c27fd94ebd352aae06cc335f363df2f9de78933ed92d

  • SHA512

    ed377cd25ed5e6e3a0e2b8489c03f444f9a968ee0c59cc83be7f9c7744b916368d2c9aa2282a0fa79de7fff790a0ca4aa21986a200c004a89fbd12585bf96798

Malware Config

Extracted

Family

lokibot

C2

http://umuloki.xyz/xx/za/nn.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      DC9095857497494.BAT

    • Size

      1MB

    • MD5

      69e50153619ce219aa8b526cc8c6cb1d

    • SHA1

      7a5429ca50ce7d5cc462a0d26127a179259113d6

    • SHA256

      4f68d7352e104d5eac36c27fd94ebd352aae06cc335f363df2f9de78933ed92d

    • SHA512

      ed377cd25ed5e6e3a0e2b8489c03f444f9a968ee0c59cc83be7f9c7744b916368d2c9aa2282a0fa79de7fff790a0ca4aa21986a200c004a89fbd12585bf96798

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks