09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06

General
Target

09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06

Size

991KB

Sample

220521-w9lm9aeebr

Score
10 /10
MD5

b650d2a7c5a71109cf872ad301c424d4

SHA1

08e3f4f8d920bad2b87b0fa6f9ec9aaa89cd5384

SHA256

09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06

SHA512

c2abb72202ff643dc031aaa3b290b68c1a8267b9057116a7601cfe5e383e18a5840a5a7a017a157548777327ff347428be3967746fe6661995c3c1f28013be42

Malware Config

Extracted

Family lokibot
C2

http://rnarport.com/deal/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets
Target

SOA_#BA520865 APR20pdf.exe

MD5

651f7592df60c78259741d1452987807

Filesize

1MB

Score
10/10
SHA1

e4a39cb28f1275bd13dd357ce5592f4dc975268f

SHA256

fba2d704c11e4e6016da0acc631c12bb8ded89d3c46eb5469aa98988844f8b7e

SHA512

c438fc13a08ac1b27004a92d818341c1151b7df74fe3c0514636d087044b82e20f1d451acc05554e96a2265a1e10eb704a3feccb46ed8660a75c49d5b1daf4b4

Tags

Signatures

  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Tags

  • suricata: ET MALWARE LokiBot Checkin

    Description

    suricata: ET MALWARE LokiBot Checkin

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Tags

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Description

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Tags

  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation