General

  • Target

    TUM5653DE463.exe

  • Size

    774KB

  • Sample

    221005-m4jf9sebc3

  • MD5

    46f0f2e2a3af978862925f33fac17437

  • SHA1

    3404ecb40a143e0f81f04b451986c040c38c0a6d

  • SHA256

    eccc473ca1398efe9c95c25fba6b3d03d4c959bc27635b5fd252528e1bc5bd6f

  • SHA512

    5c175ad903b3e80ce59a533094ced0545f0ad8a076960e3a7cd5777e3cb5ca2b1de59a1149157b05f03778445e2075c5342f3571770b31997007ff15efedbc8f

  • SSDEEP

    12288:+/MhzZNcLVMXoLK7XCEkF847XISigtR/4ve:UKmVqEKnd4MSii4ve

Malware Config

Extracted

Family

lokibot

C2

http://162.0.223.13/?08fequikdahgueq78uc

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      TUM5653DE463.exe

    • Size

      774KB

    • MD5

      46f0f2e2a3af978862925f33fac17437

    • SHA1

      3404ecb40a143e0f81f04b451986c040c38c0a6d

    • SHA256

      eccc473ca1398efe9c95c25fba6b3d03d4c959bc27635b5fd252528e1bc5bd6f

    • SHA512

      5c175ad903b3e80ce59a533094ced0545f0ad8a076960e3a7cd5777e3cb5ca2b1de59a1149157b05f03778445e2075c5342f3571770b31997007ff15efedbc8f

    • SSDEEP

      12288:+/MhzZNcLVMXoLK7XCEkF847XISigtR/4ve:UKmVqEKnd4MSii4ve

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks