General

  • Target

    1758e9ced2eebb301b312af2748613cd8be891103a2b722eb6a52e17dfbd1a32

  • Size

    786KB

  • Sample

    220521-pyt2xsbdhk

  • MD5

    7320c5d437145ad84f12cfe5c0c1ec2f

  • SHA1

    1a99ffc3c6de885be178b66e7137a1865e574164

  • SHA256

    1758e9ced2eebb301b312af2748613cd8be891103a2b722eb6a52e17dfbd1a32

  • SHA512

    c5bd377e610a2e2c6b93f7d9b3cc2d636986f4e6098ea20f6fd10dbb08e090559cd27ce25257a6b6daabdd6e0456ec7661cd6a228c31e8c9ea4fe882d17d1a83

Malware Config

Extracted

Family

lokibot

C2

http://niskioglasi.rs/test1/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      2arhsLRMyaVml7q.exe

    • Size

      1.0MB

    • MD5

      17c5c0a296cae759555eda7c492a49a8

    • SHA1

      25f31e7ba4c4293c1c340906b4bf9730798e0b2f

    • SHA256

      de660c0038b994e1aef2aaacc59131ea98f312376be5820893ff081396239042

    • SHA512

      99cb7fead966f09da3f8836998c428a5fd6489e71c3abe82466cfbe285813c10d9a306e2348f72b4d475a54d3f3751f860b6ce4d5ff36e025971c24af39cf22a

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks