General

  • Target

    42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550

  • Size

    4.3MB

  • Sample

    220708-b7plxaccdq

  • MD5

    b18845adc4e9656460ea07ed40cde26b

  • SHA1

    c3cfa90112c46f4be175370b45ae40fa7f3f9e3c

  • SHA256

    42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550

  • SHA512

    8df6ec830b60b4c958f62f6e464b9f84ff369a8dad6317321774c371455e1569ef9181e95da59f4c085af8df42ea45eb16c952bcee31f7a4b403281bbc3e6a81

Malware Config

Extracted

Family

lokibot

C2

http://saftygroup.com/app/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550

    • Size

      4.3MB

    • MD5

      b18845adc4e9656460ea07ed40cde26b

    • SHA1

      c3cfa90112c46f4be175370b45ae40fa7f3f9e3c

    • SHA256

      42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550

    • SHA512

      8df6ec830b60b4c958f62f6e464b9f84ff369a8dad6317321774c371455e1569ef9181e95da59f4c085af8df42ea45eb16c952bcee31f7a4b403281bbc3e6a81

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Detect XtremeRAT payload

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks