General

  • Target

    fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a.exe

  • Size

    197KB

  • Sample

    220120-wmvmmsbabr

  • MD5

    3553730092aed51702858b9ba64f0ab3

  • SHA1

    3adf8943bcc6692b82f5c25d21f040cf182427ad

  • SHA256

    fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a

  • SHA512

    3c03f484b19084d7a5a4622878daabfc5ec089a1ccebbe82f0ea0caad3578ff823e40560ec1f0cbef5353cf77bc8baeb5617ae43c8e187ba996413dfd77b08b9

Malware Config

Extracted

Family

lokibot

C2

http://windowssecuritycheck.gdn/mx/l/frefvdvdvfdfvdf.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a.exe

    • Size

      197KB

    • MD5

      3553730092aed51702858b9ba64f0ab3

    • SHA1

      3adf8943bcc6692b82f5c25d21f040cf182427ad

    • SHA256

      fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a

    • SHA512

      3c03f484b19084d7a5a4622878daabfc5ec089a1ccebbe82f0ea0caad3578ff823e40560ec1f0cbef5353cf77bc8baeb5617ae43c8e187ba996413dfd77b08b9

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks