General

  • Target

    231a2f45a4219ebaf9491e1098bc12c7284e13dd22ed823aa670e7ec08a8c199

  • Size

    168KB

  • Sample

    220521-pykhgsgbg5

  • MD5

    8b05baaf849362adc0e5955b6d7883a4

  • SHA1

    d63fa67839081d60856cd48847ea4264724b8dda

  • SHA256

    231a2f45a4219ebaf9491e1098bc12c7284e13dd22ed823aa670e7ec08a8c199

  • SHA512

    5b57bd8a0739d4ef8f6134d58166e348c57e57dc278af7d2ddce22dd75643ba020f280a6550d1fe60979f1193fd828edd9b91b9fc785d405ea16156d358b0a1f

Malware Config

Extracted

Family

lokibot

C2

http://kovachevpress.com/docsx/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      QUOTE2020 pdf.exe

    • Size

      368KB

    • MD5

      83005f40d807395b48b6db94468d2724

    • SHA1

      4716bc507a056937815fc864a1a3ffd16fe3a9af

    • SHA256

      2c07db0899ca0694f0968ccbc4ce68b60356a8f832f9bc3875529fc0e35c8778

    • SHA512

      e22410f5591c96c72b7b935599b7adeade9652ac71a0d0d1f2e1627504f9112aecc59d0c855b94aec71442247cdc18cbddb58b0c19c74cf0335aa57a1edf548d

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks