General

  • Target

    c85c16d46f7830ad5afc138282399bb1de7b71e67d516e7c76973c54d187d906

  • Size

    4.4MB

  • Sample

    220624-2cefkahhe3

  • MD5

    619dc6473630bef5775dc62304ebc640

  • SHA1

    3884fcd67c73e0c1f7c37a37b47dc69f61df82ad

  • SHA256

    c85c16d46f7830ad5afc138282399bb1de7b71e67d516e7c76973c54d187d906

  • SHA512

    185dd3b3d2557f04eedd551775ef98cf9de0389d6e8228a184323426f5128945dd5468e418b58a0908514ca774497e19081843be212e03ef4ca0cc7d0b926e1c

Malware Config

Extracted

Family

lokibot

C2

http://fashionstune.com/wp-includes/app/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      c85c16d46f7830ad5afc138282399bb1de7b71e67d516e7c76973c54d187d906

    • Size

      4.4MB

    • MD5

      619dc6473630bef5775dc62304ebc640

    • SHA1

      3884fcd67c73e0c1f7c37a37b47dc69f61df82ad

    • SHA256

      c85c16d46f7830ad5afc138282399bb1de7b71e67d516e7c76973c54d187d906

    • SHA512

      185dd3b3d2557f04eedd551775ef98cf9de0389d6e8228a184323426f5128945dd5468e418b58a0908514ca774497e19081843be212e03ef4ca0cc7d0b926e1c

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Detect XtremeRAT Payload

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks