General

  • Target

    Purchase_items_List.exe

  • Size

    596KB

  • Sample

    220519-clkw9scddn

  • MD5

    b3e40421c6609be05bc116697126146d

  • SHA1

    319e92693d1ef6ea296a945577269625d10ce682

  • SHA256

    cd4247426c4fbd531a62dedb1c599360312f3d48ab0800699f8a54ee4fb88c17

  • SHA512

    b4d7c390c361fe34412dde90d568572884bd7107706925fe32ace39b5c8cb15e8d0ea0d5da407a59ad16d2583c573fc8c199ce820fe5173f966d03ca0cea43cd

Malware Config

Extracted

Family

lokibot

C2

http://pimplord.ru/projects/image/ssl/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Purchase_items_List.exe

    • Size

      596KB

    • MD5

      b3e40421c6609be05bc116697126146d

    • SHA1

      319e92693d1ef6ea296a945577269625d10ce682

    • SHA256

      cd4247426c4fbd531a62dedb1c599360312f3d48ab0800699f8a54ee4fb88c17

    • SHA512

      b4d7c390c361fe34412dde90d568572884bd7107706925fe32ace39b5c8cb15e8d0ea0d5da407a59ad16d2583c573fc8c199ce820fe5173f966d03ca0cea43cd

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks