General

  • Target

    21250461884af7cdce99729c8ea5fe2aaaa1250b715a9c26899a97d9e05829f1.exe

  • Size

    178KB

  • Sample

    220514-q5j1zacchj

  • MD5

    0707fdefc009742f2b71bd74f94f541b

  • SHA1

    97f281579aef9feb7f7f13f08d12add1004b05c7

  • SHA256

    21250461884af7cdce99729c8ea5fe2aaaa1250b715a9c26899a97d9e05829f1

  • SHA512

    096b0163a41f8ea6562b0df3f4fd9c4e73511d6f255000155897fd072d3edb76367161703483406ffbaf92b8329aba54af99248a2b3fae44ed69a2b8011c7d5f

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      21250461884af7cdce99729c8ea5fe2aaaa1250b715a9c26899a97d9e05829f1.exe

    • Size

      178KB

    • MD5

      0707fdefc009742f2b71bd74f94f541b

    • SHA1

      97f281579aef9feb7f7f13f08d12add1004b05c7

    • SHA256

      21250461884af7cdce99729c8ea5fe2aaaa1250b715a9c26899a97d9e05829f1

    • SHA512

      096b0163a41f8ea6562b0df3f4fd9c4e73511d6f255000155897fd072d3edb76367161703483406ffbaf92b8329aba54af99248a2b3fae44ed69a2b8011c7d5f

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks