General

  • Target

    5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b

  • Size

    4.4MB

  • Sample

    220801-dagwxagdcm

  • MD5

    20359e1c6c6c702e933bd0943292dcdc

  • SHA1

    9a4d2f8380c051b18dc1dacd2bca67d345b246e7

  • SHA256

    5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b

  • SHA512

    4054e99618301849bf9878ec2126f04de021def5402f1f60da8e757e08adee4c258e80a161acb625990c5831b9613c48999faed513506488d94ae8bbbae7075a

Malware Config

Extracted

Family

lokibot

C2

http://fashionstune.com/old/inc/img/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b

    • Size

      4.4MB

    • MD5

      20359e1c6c6c702e933bd0943292dcdc

    • SHA1

      9a4d2f8380c051b18dc1dacd2bca67d345b246e7

    • SHA256

      5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b

    • SHA512

      4054e99618301849bf9878ec2126f04de021def5402f1f60da8e757e08adee4c258e80a161acb625990c5831b9613c48999faed513506488d94ae8bbbae7075a

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

    • Detect XtremeRAT payload

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks