General
-
Target
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
-
Size
123KB
-
Sample
220521-yhyjvagbhl
-
MD5
401d189e5da7d6d6d490a4ed29a5538a
-
SHA1
4111011de3c146560fe3a3f47af2008b4aa49816
-
SHA256
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692
-
SHA512
2808bf54a542c3740f5b8fc370411d86108188dd27e18d3a55c73c36ffe1e1a2380936f32eca024460b3eb0738cb81a24ece55913edcd54b79c089a8e04a9c58
Malware Config
Extracted
lokibot
http://sempersim.su/gf9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
-
Size
123KB
-
MD5
401d189e5da7d6d6d490a4ed29a5538a
-
SHA1
4111011de3c146560fe3a3f47af2008b4aa49816
-
SHA256
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692
-
SHA512
2808bf54a542c3740f5b8fc370411d86108188dd27e18d3a55c73c36ffe1e1a2380936f32eca024460b3eb0738cb81a24ece55913edcd54b79c089a8e04a9c58
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-