2f4122fed142c81e9f7fff4ed091012063c70b8b8c77a83b6dfe5a20dbff85bf

General
Target

2f4122fed142c81e9f7fff4ed091012063c70b8b8c77a83b6dfe5a20dbff85bf

Size

718KB

Sample

220521-w7fzzsbah5

Score
10 /10
MD5

e3cd19429642273c1b147246ddec3c30

SHA1

98776947cdec0ae719c4e28b0ec65dc2593781b8

SHA256

2f4122fed142c81e9f7fff4ed091012063c70b8b8c77a83b6dfe5a20dbff85bf

SHA512

42782f4f74727b35791c88deb1f889e849307a9e1a2f0ced5ffda938908e20bd89bd4c50a5c9734c7da42cf5f6e71eeb2742986f79d0bb315f7af5bb7f1a5fbc

Malware Config

Extracted

Family lokibot
C2

http://rarlab.gq/comic/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

rar.exe

MD5

30c26f973e864ae0bb81942137176acb

Filesize

838KB

Score
10/10
SHA1

ab42932e9e8bb05250369966bd2af44223db82a1

SHA256

51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab

SHA512

0ff5f5c3af3a8cd4b37fce61e2230e5889cbe42d956ab1c9b2273eb268aa1951f192ef342ff5d218cb5ebe2103d7fa88aba5d74d12a2c4eeaab8a7d9e7fbb98c

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • ModiLoader, DBatLoader

    Description

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Tags

  • suricata: ET MALWARE LokiBot Checkin

    Description

    suricata: ET MALWARE LokiBot Checkin

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Tags

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Description

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Tags

  • ModiLoader Second Stage

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation