General

  • Target

    SecuriteInfo.com.Variant.Tedy.154569.19490.16022

  • Size

    580KB

  • Sample

    220705-f9z8msgdc5

  • MD5

    155d1e5ad55adc2d9da5abcbc9db15cf

  • SHA1

    c222dd086a332c8c4e21a1ebb6f07013592c5af4

  • SHA256

    1d1288c2ce2893c49f8b5415034de067a2d68ccddc08fe89f8711e568d777505

  • SHA512

    22c4769aae9f3489c8e4a947c89aecb7182a80c426028432a18eb8e42f6c2b07ac947f4a3347475530b127f96cc85bffa216a3aa3865733ad3f557588b59182f

Malware Config

Extracted

Family

lokibot

C2

http://s509040.smrtp.ru/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SecuriteInfo.com.Variant.Tedy.154569.19490.16022

    • Size

      580KB

    • MD5

      155d1e5ad55adc2d9da5abcbc9db15cf

    • SHA1

      c222dd086a332c8c4e21a1ebb6f07013592c5af4

    • SHA256

      1d1288c2ce2893c49f8b5415034de067a2d68ccddc08fe89f8711e568d777505

    • SHA512

      22c4769aae9f3489c8e4a947c89aecb7182a80c426028432a18eb8e42f6c2b07ac947f4a3347475530b127f96cc85bffa216a3aa3865733ad3f557588b59182f

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Fake 404 Response

      suricata: ET MALWARE LokiBot Fake 404 Response

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks