General

  • Target

    1da487dcf49ac5e7f76e0cf453f80975a35c74689d39135f7758440054035772

  • Size

    352KB

  • Sample

    211207-pk4dfabhh3

  • MD5

    27c36cc1931a34f0dc19ca898eb196ba

  • SHA1

    e8fe8c597f910e85e2bee4f84c2b6488db728e52

  • SHA256

    1da487dcf49ac5e7f76e0cf453f80975a35c74689d39135f7758440054035772

  • SHA512

    3777ac14d51e9c814f5de5ddde1875c207475f440e2aa11a40cc0f83c653639ed09440a7599e1e8b7295a459bd9dc20854b39b1565f34b08bd63fdb6ad3d778b

Malware Config

Extracted

Family

lokibot

C2

http://hdmibonquet.ir/oluwa/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      1da487dcf49ac5e7f76e0cf453f80975a35c74689d39135f7758440054035772

    • Size

      352KB

    • MD5

      27c36cc1931a34f0dc19ca898eb196ba

    • SHA1

      e8fe8c597f910e85e2bee4f84c2b6488db728e52

    • SHA256

      1da487dcf49ac5e7f76e0cf453f80975a35c74689d39135f7758440054035772

    • SHA512

      3777ac14d51e9c814f5de5ddde1875c207475f440e2aa11a40cc0f83c653639ed09440a7599e1e8b7295a459bd9dc20854b39b1565f34b08bd63fdb6ad3d778b

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks