General

  • Target

    f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe

  • Size

    310KB

  • Sample

    220521-yhw11schh8

  • MD5

    0c5c5af36d67e89a321bff54e6f6e431

  • SHA1

    d894a2ab68371b6661468c6906648cd11f38ff32

  • SHA256

    f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8

  • SHA512

    fcd788eb744423db5169362a11ca7a16408bb54fccb79ed375342e6715de92bb3dcfd4c93472f71ec9be14b9d97460f95a731f3a2865f0c51977644f6c7da9fd

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gg1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe

    • Size

      310KB

    • MD5

      0c5c5af36d67e89a321bff54e6f6e431

    • SHA1

      d894a2ab68371b6661468c6906648cd11f38ff32

    • SHA256

      f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8

    • SHA512

      fcd788eb744423db5169362a11ca7a16408bb54fccb79ed375342e6715de92bb3dcfd4c93472f71ec9be14b9d97460f95a731f3a2865f0c51977644f6c7da9fd

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks