General

  • Target

    f78a2b1b7893329cfae8149542b417d5bd94a689f4019a58a6934421ab07a9ce

  • Size

    883KB

  • Sample

    221005-t8kcpaehd8

  • MD5

    d5ff0c7259a4c2bba2031f2eb668cf89

  • SHA1

    7d6143525b256048fb0e794cce34ab9a82b46e9b

  • SHA256

    f78a2b1b7893329cfae8149542b417d5bd94a689f4019a58a6934421ab07a9ce

  • SHA512

    aa0cc6d93b9d311fe2b88abeae079878e726ce6471aed4b484bc803c563ab05c61d30ff8d439cca71066f5760dc54ad34702f02c313b87be73151e7e2cf8ac52

  • SSDEEP

    12288:cuuUc2iN0R/4ve+rxN8fKONyJ8y27iC0mp8VNj0KBSft:e1s4ve+rxN8/NsHq90fjo

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.161/donstan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      f78a2b1b7893329cfae8149542b417d5bd94a689f4019a58a6934421ab07a9ce

    • Size

      883KB

    • MD5

      d5ff0c7259a4c2bba2031f2eb668cf89

    • SHA1

      7d6143525b256048fb0e794cce34ab9a82b46e9b

    • SHA256

      f78a2b1b7893329cfae8149542b417d5bd94a689f4019a58a6934421ab07a9ce

    • SHA512

      aa0cc6d93b9d311fe2b88abeae079878e726ce6471aed4b484bc803c563ab05c61d30ff8d439cca71066f5760dc54ad34702f02c313b87be73151e7e2cf8ac52

    • SSDEEP

      12288:cuuUc2iN0R/4ve+rxN8fKONyJ8y27iC0mp8VNj0KBSft:e1s4ve+rxN8/NsHq90fjo

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks