General

  • Target

    325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe

  • Size

    557KB

  • Sample

    220521-yhxbsadaa3

  • MD5

    8133ee977a0f5e8649fdf16976ff84fc

  • SHA1

    b97f14c79e56b206f94dfdda6525ce8ddf7ef6b3

  • SHA256

    325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455

  • SHA512

    1571ef43e27d052d0cf8201e3adcb017320739d2783ae5f376381ef8143dc979f4041da8961b31d029f0d5d283b1344c4b3d1cbbbde8ed486f7575d450a87297

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gg1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe

    • Size

      557KB

    • MD5

      8133ee977a0f5e8649fdf16976ff84fc

    • SHA1

      b97f14c79e56b206f94dfdda6525ce8ddf7ef6b3

    • SHA256

      325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455

    • SHA512

      1571ef43e27d052d0cf8201e3adcb017320739d2783ae5f376381ef8143dc979f4041da8961b31d029f0d5d283b1344c4b3d1cbbbde8ed486f7575d450a87297

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks