General
-
Target
TT swift advise.exe
-
Size
490KB
-
Sample
220704-pjba9sbbf8
-
MD5
a9c5b90bea45b7cc178b12622e8e9740
-
SHA1
8ed7875dcfd593a1f69dd27a14eee37f16d89066
-
SHA256
a44ca269366aaf1ff566a07612899523e7b865b3af8f18a4f98918ecaba79c65
-
SHA512
90a89f3b43582691ce231ff86e75f7a05ed5d10c91a5092ba7093a82b9f4f163c668c5b86882f21b3ed76aac725e98e923dcf3d49ea4077edfa901f027cd0f7e
Malware Config
Extracted
lokibot
http://sempersim.su/gi10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
TT swift advise.exe
-
Size
490KB
-
MD5
a9c5b90bea45b7cc178b12622e8e9740
-
SHA1
8ed7875dcfd593a1f69dd27a14eee37f16d89066
-
SHA256
a44ca269366aaf1ff566a07612899523e7b865b3af8f18a4f98918ecaba79c65
-
SHA512
90a89f3b43582691ce231ff86e75f7a05ed5d10c91a5092ba7093a82b9f4f163c668c5b86882f21b3ed76aac725e98e923dcf3d49ea4077edfa901f027cd0f7e
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-