General

  • Target

    0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87

  • Size

    4.1MB

  • Sample

    220528-f4kk1aaee3

  • MD5

    7e5dd95f50dd0df531c8bb9069b8f350

  • SHA1

    7547d0ec26695ecd8a9e696b6e1a1e5485330662

  • SHA256

    0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87

  • SHA512

    9d9130786e21f9907cf2196d4122cbaf0c444462f682a242136a6140cdc05693ba4fb9af95cf9968d55d96cc470d9cde06ed160bebc09ba3eac7fc2f265ac240

Malware Config

Extracted

Family

lokibot

C2

http://achakeybase.com.de/cush/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87

    • Size

      4.1MB

    • MD5

      7e5dd95f50dd0df531c8bb9069b8f350

    • SHA1

      7547d0ec26695ecd8a9e696b6e1a1e5485330662

    • SHA256

      0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87

    • SHA512

      9d9130786e21f9907cf2196d4122cbaf0c444462f682a242136a6140cdc05693ba4fb9af95cf9968d55d96cc470d9cde06ed160bebc09ba3eac7fc2f265ac240

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Luminosity

      Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE LuminosityLink - Data Channel Client Request 2

      suricata: ET MALWARE LuminosityLink - Data Channel Client Request 2

    • suricata: ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter

      suricata: ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks