General

  • Target

    csrss.exe

  • Size

    309KB

  • Sample

    211206-xwqwgsehel

  • MD5

    cf7095f7f790691075cc0fa8416b421e

  • SHA1

    9171714663e69ade80b438f65e4b4d5ce36276d7

  • SHA256

    105c6a65575df97241ddc6b81c72fe929007105cffe748163ce80cdcad8c8283

  • SHA512

    f2625103d722291b8f0b7ac40e6246ce4591c902e6184126e4c7b5ca43214fab95ddb6084efa9991a43e635c38602a7d3d251cb6eb4b6d6caa288ee93c95b5d3

Malware Config

Extracted

Family

lokibot

C2

http://hdmibonquet.ir/oluwa/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      csrss.exe

    • Size

      309KB

    • MD5

      cf7095f7f790691075cc0fa8416b421e

    • SHA1

      9171714663e69ade80b438f65e4b4d5ce36276d7

    • SHA256

      105c6a65575df97241ddc6b81c72fe929007105cffe748163ce80cdcad8c8283

    • SHA512

      f2625103d722291b8f0b7ac40e6246ce4591c902e6184126e4c7b5ca43214fab95ddb6084efa9991a43e635c38602a7d3d251cb6eb4b6d6caa288ee93c95b5d3

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks