tmp

General
Target

tmp

Size

505KB

Sample

220514-rwvlsacfdm

Score
10 /10
MD5

42bbd99a0ea0fcc5a3f9e6331277cc14

SHA1

fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d

SHA256

f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e

SHA512

5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8

Malware Config

Extracted

Family lokibot
C2

http://85.202.169.172/remote/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

tmp

MD5

42bbd99a0ea0fcc5a3f9e6331277cc14

Filesize

505KB

Score
10/10
SHA1

fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d

SHA256

f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e

SHA512

5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Tags

  • suricata: ET MALWARE LokiBot Checkin

    Description

    suricata: ET MALWARE LokiBot Checkin

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Tags

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Description

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation