General

  • Target

    166a7ab059b6eb18c68de7bafed0bd5203cbed1836a0e0baa3b2735410569130

  • Size

    1.1MB

  • Sample

    221004-p42c7abaa3

  • MD5

    32ed364f1d7cb16728c2b328f708756b

  • SHA1

    9dd373e5c705bff0b0a19b96ecb4267f03beae0a

  • SHA256

    166a7ab059b6eb18c68de7bafed0bd5203cbed1836a0e0baa3b2735410569130

  • SHA512

    67c5b21909fd74fa50b1d75eda60f07307bcb255c88db8a7bc968e100089776194422a90424027f594d005ef64078f519cf8148568349a6f620349300fb80517

  • SSDEEP

    12288:m1s7K4HTNs2GHO4EY9z3d/FUz2GGSxls7uKoXMwOJG8H1JJfXxRy:EwG/Emz3d/ufO7HwOJGSJfhRy

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.161/donstan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      166a7ab059b6eb18c68de7bafed0bd5203cbed1836a0e0baa3b2735410569130

    • Size

      1.1MB

    • MD5

      32ed364f1d7cb16728c2b328f708756b

    • SHA1

      9dd373e5c705bff0b0a19b96ecb4267f03beae0a

    • SHA256

      166a7ab059b6eb18c68de7bafed0bd5203cbed1836a0e0baa3b2735410569130

    • SHA512

      67c5b21909fd74fa50b1d75eda60f07307bcb255c88db8a7bc968e100089776194422a90424027f594d005ef64078f519cf8148568349a6f620349300fb80517

    • SSDEEP

      12288:m1s7K4HTNs2GHO4EY9z3d/FUz2GGSxls7uKoXMwOJG8H1JJfXxRy:EwG/Emz3d/ufO7HwOJGSJfhRy

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks