General
-
Target
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f
-
Size
320KB
-
Sample
220521-pszefsbbfk
-
MD5
9d85837c19f17bb41eb39aaa6c608b74
-
SHA1
e5dfb98dde09cf621cdeb96c491e5f23510ee37a
-
SHA256
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f
-
SHA512
43e6f3e48cd0fee2f996a84adc0235a8ac5a9cdc5a969d2a21a9c859b402469d8a72aa5216d122e2c2df7d7c38903ce8177c1fc47a1851183e5c65352829944e
Malware Config
Extracted
lokibot
http://mellle.com/ses/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f
-
Size
320KB
-
MD5
9d85837c19f17bb41eb39aaa6c608b74
-
SHA1
e5dfb98dde09cf621cdeb96c491e5f23510ee37a
-
SHA256
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f
-
SHA512
43e6f3e48cd0fee2f996a84adc0235a8ac5a9cdc5a969d2a21a9c859b402469d8a72aa5216d122e2c2df7d7c38903ce8177c1fc47a1851183e5c65352829944e
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-