General

  • Target

    e6cf7e6ea06ad8ab2297af8e48c80dce.exe

  • Size

    773KB

  • Sample

    221005-m5ppnsebc7

  • MD5

    e6cf7e6ea06ad8ab2297af8e48c80dce

  • SHA1

    ba8bc90aafde7a77baeeec3c3f77f0a0f5555b6e

  • SHA256

    38a47f77600d327589d62e4d015ead4e2ae7f454f5037e4e523968961ddc16b4

  • SHA512

    c6ff7900d3459ea072df3033fd27ae75cc5449f84d4ac36c83a326884211fc136ebffb10e331ac6786e6368dd93b7c6d03593b6aba4d463aef23cf081ac05596

  • SSDEEP

    12288:CR/4veOpYTsZpQQWt65SidUBzt0le/UwelTIt+Nm1iDok6:44veOpwsZhWt6tOMid/oNIiD

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.161/donstan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      e6cf7e6ea06ad8ab2297af8e48c80dce.exe

    • Size

      773KB

    • MD5

      e6cf7e6ea06ad8ab2297af8e48c80dce

    • SHA1

      ba8bc90aafde7a77baeeec3c3f77f0a0f5555b6e

    • SHA256

      38a47f77600d327589d62e4d015ead4e2ae7f454f5037e4e523968961ddc16b4

    • SHA512

      c6ff7900d3459ea072df3033fd27ae75cc5449f84d4ac36c83a326884211fc136ebffb10e331ac6786e6368dd93b7c6d03593b6aba4d463aef23cf081ac05596

    • SSDEEP

      12288:CR/4veOpYTsZpQQWt65SidUBzt0le/UwelTIt+Nm1iDok6:44veOpwsZhWt6tOMid/oNIiD

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks