General

  • Target

    5509d78e6da0b5e4dfc6371eadb9f1ce3520b67c840ce7c4181aad38cca779b4

  • Size

    1.1MB

  • Sample

    220725-vrx3wsfgd2

  • MD5

    a8e187400ccedf1d3134c238455bd792

  • SHA1

    98698c332b92c55cca793e3c31094061dc80403f

  • SHA256

    5509d78e6da0b5e4dfc6371eadb9f1ce3520b67c840ce7c4181aad38cca779b4

  • SHA512

    00156cd39a615b3ff92a7d03b1e61ede061a9bb493e3a57b6e1a3bca06ac83db9fd033744f5eac0385b8740472159e64bd65c5d9f22aad6f60ce08fe27290ad9

Malware Config

Extracted

Family

lokibot

C2

http://saftygroup.com/app/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      5509d78e6da0b5e4dfc6371eadb9f1ce3520b67c840ce7c4181aad38cca779b4

    • Size

      1.1MB

    • MD5

      a8e187400ccedf1d3134c238455bd792

    • SHA1

      98698c332b92c55cca793e3c31094061dc80403f

    • SHA256

      5509d78e6da0b5e4dfc6371eadb9f1ce3520b67c840ce7c4181aad38cca779b4

    • SHA512

      00156cd39a615b3ff92a7d03b1e61ede061a9bb493e3a57b6e1a3bca06ac83db9fd033744f5eac0385b8740472159e64bd65c5d9f22aad6f60ce08fe27290ad9

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Detect XtremeRAT payload

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks