General

  • Target

    1c909356c2c0df3d17d1b2694be16f5ab2be10efda79c6faff748661f4757127

  • Size

    969KB

  • Sample

    220415-bgnxpafefm

  • MD5

    c6b02852889de04f1349ffcef5e64054

  • SHA1

    b9ac7e3db5a4fc23c80eac135e6b781b56998e96

  • SHA256

    1c909356c2c0df3d17d1b2694be16f5ab2be10efda79c6faff748661f4757127

  • SHA512

    c77c20cd877a71850cda9255cab39fac7eaa0208822cc8b8cf3ae7789d46f2f0c13db730839f8e3988123f1ce254c53d0d6f8696e615b4e9fe0a586d5f0eae66

Malware Config

Extracted

Family

lokibot

C2

http://oziltestfw.ml/officem10/logs/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      1c909356c2c0df3d17d1b2694be16f5ab2be10efda79c6faff748661f4757127

    • Size

      969KB

    • MD5

      c6b02852889de04f1349ffcef5e64054

    • SHA1

      b9ac7e3db5a4fc23c80eac135e6b781b56998e96

    • SHA256

      1c909356c2c0df3d17d1b2694be16f5ab2be10efda79c6faff748661f4757127

    • SHA512

      c77c20cd877a71850cda9255cab39fac7eaa0208822cc8b8cf3ae7789d46f2f0c13db730839f8e3988123f1ce254c53d0d6f8696e615b4e9fe0a586d5f0eae66

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks