General

  • Target

    56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3

  • Size

    2.2MB

  • Sample

    220725-cc1lcsaab6

  • MD5

    d6f0b0dab732ddbccb910d62172148f4

  • SHA1

    6b7b3acbbed374628e9217b039deda2702fad88e

  • SHA256

    56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3

  • SHA512

    28e15352233db9c6ba71bcfc5e5dee7aaec66ad674b2450e26a5a75683b3f1112c804f01f75908134ead46a5e3e009b36b03c0fc4289e8088b8bb764894aff34

Malware Config

Extracted

Family

lokibot

C2

http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3

    • Size

      2.2MB

    • MD5

      d6f0b0dab732ddbccb910d62172148f4

    • SHA1

      6b7b3acbbed374628e9217b039deda2702fad88e

    • SHA256

      56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3

    • SHA512

      28e15352233db9c6ba71bcfc5e5dee7aaec66ad674b2450e26a5a75683b3f1112c804f01f75908134ead46a5e3e009b36b03c0fc4289e8088b8bb764894aff34

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Detect XtremeRAT payload

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks