General
-
Target
356233734f03d5b38d8e17a72458296b72837f0e79a16cc844074d52595a03bf
-
Size
144KB
-
Sample
220627-aptx8sabe8
-
MD5
50bc43ff94e9abad1c326fd581d9e133
-
SHA1
601af3d0068a29e11c23a504d7c2affbcbb4c04e
-
SHA256
356233734f03d5b38d8e17a72458296b72837f0e79a16cc844074d52595a03bf
-
SHA512
282be2446c89ce1a4c6e3f7335336f818c2f535a1e36b98f2b9ebbcf5f545eb6de59b5ad846294fff51b6873a38cc3e45c596c3e666087f43ee9f8d5906fc3cf
Malware Config
Extracted
lokibot
http://deeshawears.com/test/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
356233734f03d5b38d8e17a72458296b72837f0e79a16cc844074d52595a03bf
-
Size
144KB
-
MD5
50bc43ff94e9abad1c326fd581d9e133
-
SHA1
601af3d0068a29e11c23a504d7c2affbcbb4c04e
-
SHA256
356233734f03d5b38d8e17a72458296b72837f0e79a16cc844074d52595a03bf
-
SHA512
282be2446c89ce1a4c6e3f7335336f818c2f535a1e36b98f2b9ebbcf5f545eb6de59b5ad846294fff51b6873a38cc3e45c596c3e666087f43ee9f8d5906fc3cf
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-