a9884b3c353d97349092b79f407a2311155dad2571f5006325c318b5e4cddc58

General
Target

a9884b3c353d97349092b79f407a2311155dad2571f5006325c318b5e4cddc58

Size

669KB

Sample

220521-sp7s7shhc4

Score
10 /10
MD5

c1076707e92d89285c9535e502bdc0ff

SHA1

947b4636d09acb44e83dfe309c8f6de85201a5c4

SHA256

a9884b3c353d97349092b79f407a2311155dad2571f5006325c318b5e4cddc58

SHA512

495756acb90129a113e9de67b4efad4e12d4485535865fa5d38e1e294a0bdceee60cdd9da3ab0adb2065c5450721bb84285703f202f64d07786bb9e294347ca0

Malware Config

Extracted

Family lokibot
C2

http://85.202.169.172/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

a9884b3c353d97349092b79f407a2311155dad2571f5006325c318b5e4cddc58

MD5

c1076707e92d89285c9535e502bdc0ff

Filesize

669KB

Score
10/10
SHA1

947b4636d09acb44e83dfe309c8f6de85201a5c4

SHA256

a9884b3c353d97349092b79f407a2311155dad2571f5006325c318b5e4cddc58

SHA512

495756acb90129a113e9de67b4efad4e12d4485535865fa5d38e1e294a0bdceee60cdd9da3ab0adb2065c5450721bb84285703f202f64d07786bb9e294347ca0

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Tags

  • suricata: ET MALWARE LokiBot Checkin

    Description

    suricata: ET MALWARE LokiBot Checkin

    Tags

  • suricata: ET MALWARE LokiBot Fake 404 Response

    Description

    suricata: ET MALWARE LokiBot Fake 404 Response

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Tags

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Description

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks