General

  • Target

    tmp

  • Size

    178KB

  • Sample

    220514-ryn7saace9

  • MD5

    fefc2d8ef05916189407d8917c61ba13

  • SHA1

    92aa5269b897b91a220dbb70ac54c27807486fa4

  • SHA256

    9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

  • SHA512

    8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      tmp

    • Size

      178KB

    • MD5

      fefc2d8ef05916189407d8917c61ba13

    • SHA1

      92aa5269b897b91a220dbb70ac54c27807486fa4

    • SHA256

      9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

    • SHA512

      8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation