Overview

overview

10

Static

static

PAYMENT.exe

windows7_x64

10

PAYMENT.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f1297343dfe9063e2521071b8901243a317a182dbe513d4bf0e98f12064ad88

  • Size

    446KB

  • Sample

    220521-nce57sgefr

  • MD5

    6e59e5d41380e1ffe6c19a249ac9d61a

  • SHA1

    e1ef5898c2c1c0642f6708df112174879cdaceaf

  • SHA256

    0f1297343dfe9063e2521071b8901243a317a182dbe513d4bf0e98f12064ad88

  • SHA512

    de02df997004554198dd1cd65c3a5e7b3237849cd1408e1b51827e12d45ab7e665787193e9852d722684cce6c557edf13e3ee82194d73297a4a73325ab37b54b

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://mecharnise.ir/ea16/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PAYMENT.exe

    • Size

      505KB

    • MD5

      f673e075820eb6bc17c5a986335c4cc7

    • SHA1

      e927750ce61d24cb120570ce90d24820eced03d6

    • SHA256

      e2475ed36f6c04d8960ee27ebb3a0bc7f3148b2e780c948958920c554699267b

    • SHA512

      554f0dbf37bafad6525907792053b794940dcd66784ed307ad9643c1a594879ca96b362f1085edc0ddcb34b580aca1457ddcbc0fe5183d9663a8011b2b285a00

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks