General

  • Target

    31f09bbb6786390509a17888ccbde6c25ad2435962c5133f4c37a2c427827fae

  • Size

    2.2MB

  • Sample

    220620-vq21fsaah9

  • MD5

    d8c2902588e256e2f380e8d19e0b5273

  • SHA1

    66b88c52ce6c2b69eb1e8409bceb97996eed4eca

  • SHA256

    31f09bbb6786390509a17888ccbde6c25ad2435962c5133f4c37a2c427827fae

  • SHA512

    6fc74ccdd17bc3ba71e22b893d9906ee648144f689f25cd6322335b9a23e735bbbad05f81cf93fbf91ce4b35ac04c42204c8722c2e747d5b48951de470d0dc5b

Malware Config

Extracted

Family

lokibot

C2

http://fashionstune.com/wp-includes/app/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      31f09bbb6786390509a17888ccbde6c25ad2435962c5133f4c37a2c427827fae

    • Size

      2.2MB

    • MD5

      d8c2902588e256e2f380e8d19e0b5273

    • SHA1

      66b88c52ce6c2b69eb1e8409bceb97996eed4eca

    • SHA256

      31f09bbb6786390509a17888ccbde6c25ad2435962c5133f4c37a2c427827fae

    • SHA512

      6fc74ccdd17bc3ba71e22b893d9906ee648144f689f25cd6322335b9a23e735bbbad05f81cf93fbf91ce4b35ac04c42204c8722c2e747d5b48951de470d0dc5b

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Detect XtremeRAT Payload

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks