General
-
Target
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf
-
Size
294KB
-
Sample
220701-skstgshehn
-
MD5
2d88fec194225a419b391ebbb2472ba3
-
SHA1
1960e97f45caa7aa0702f059b9215f531ba58020
-
SHA256
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf
-
SHA512
d72807942d682743ca4690db0d609a3ade2170ee2b9f3e6b0816e21668b5e37825382d92e81264753673a12b6ad22a4641052666504a571b52a6f1c5ac6e285d
Malware Config
Extracted
lokibot
http://89.46.222.42/wealth/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf
-
Size
294KB
-
MD5
2d88fec194225a419b391ebbb2472ba3
-
SHA1
1960e97f45caa7aa0702f059b9215f531ba58020
-
SHA256
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf
-
SHA512
d72807942d682743ca4690db0d609a3ade2170ee2b9f3e6b0816e21668b5e37825382d92e81264753673a12b6ad22a4641052666504a571b52a6f1c5ac6e285d
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-