General
-
Target
a0345a7846668773bc9219a914a5e0f6c51d4d96b865e9995fe48eca627a48eb
-
Size
173KB
-
Sample
220521-pt81aagac6
-
MD5
097d35c238355260ce6b7f52f3d39027
-
SHA1
0d6cfe13f2a05f2a509313dc2f3512ded3d85108
-
SHA256
a0345a7846668773bc9219a914a5e0f6c51d4d96b865e9995fe48eca627a48eb
-
SHA512
eddced8c115ef80a9264c859c97376c91b6b52965dc664963034e460275f99ddb86e99f0b2b87f800fab87592e65667bb978f9f6c00e96f7a2fb76c9bd0a869f
Malware Config
Extracted
lokibot
http://lugaribeiro.com.br/luga/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Citat Urgent Dm Drogerie Markt SRL.exe
-
Size
373KB
-
MD5
175601d119c91fb7500bd1ae24e43388
-
SHA1
124d5e30969bd73372ec6f0bb2220034d49ebb6d
-
SHA256
8de3708192c4e0a075f748391a733950dc3a5f0121a7bfaebc824765847bbd35
-
SHA512
749bda0e300562a10653c75e443e0f9156f12f2a285a5498a59d6596b77f20a48fe7ce147ed39f39f0d602ae062896da75829f74db8776abd876f59b8a984a4a
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-