General

  • Target

    8eb301b6e0ebb3a9aed1e3056635c3e6ba357d71e2e72a85a649e01ee3bff6dd

  • Size

    812KB

  • Sample

    220414-pwy8vscah6

  • MD5

    69a77e6a7fccb87c1fb85e2cfe12003f

  • SHA1

    58876e79c7397ab11cc2d7897a32ac52cf713dae

  • SHA256

    8eb301b6e0ebb3a9aed1e3056635c3e6ba357d71e2e72a85a649e01ee3bff6dd

  • SHA512

    4b0d1380b95f5507b01eaf7fc1e7ae85238513f136d50326881e1bc27579fb9f1c493608ac5a4f1107f1d49a2b95a49bd8c0db77d3cebdbd39f1022f3503f504

Malware Config

Extracted

Family

lokibot

C2

http://185.208.182.56/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      8eb301b6e0ebb3a9aed1e3056635c3e6ba357d71e2e72a85a649e01ee3bff6dd

    • Size

      812KB

    • MD5

      69a77e6a7fccb87c1fb85e2cfe12003f

    • SHA1

      58876e79c7397ab11cc2d7897a32ac52cf713dae

    • SHA256

      8eb301b6e0ebb3a9aed1e3056635c3e6ba357d71e2e72a85a649e01ee3bff6dd

    • SHA512

      4b0d1380b95f5507b01eaf7fc1e7ae85238513f136d50326881e1bc27579fb9f1c493608ac5a4f1107f1d49a2b95a49bd8c0db77d3cebdbd39f1022f3503f504

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks