General
-
Target
0553ae7af8a6276b7ac154eb1ab1018f.exe
-
Size
876KB
-
Sample
221005-txhdyseha2
-
MD5
0553ae7af8a6276b7ac154eb1ab1018f
-
SHA1
250f9c2c7fcf3b3737bf76ec572a499437807ef2
-
SHA256
929326cdad02e238d239eb6aa0d162fe2bb1f0e67538807f89f58d927cd25526
-
SHA512
ed00c0dc681d294593b8d3bfc4bff17a449003dbc383e4a82d5c1542f4a99e9ac9ea91892c66ec6f37aa45852e4b9466125496fa5c457b56b808bd2323640014
-
SSDEEP
12288:DWiAPoeMlfqU6mNxosq22XUZVAFVwmpXx1ZOrQ7K4HTN:qi5eMAU6d22XUWVwmphm
Malware Config
Extracted
lokibot
http://162.0.223.13/?lerwUQjXGkaqpcVaFYobv5p64auikJJGYacS1wQHQ07fd3qT2P5xUuEZF9hZS1GQcTJepAVfA3vO7WI9MNHHilGXuYWnZDd
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
0553ae7af8a6276b7ac154eb1ab1018f.exe
-
Size
876KB
-
MD5
0553ae7af8a6276b7ac154eb1ab1018f
-
SHA1
250f9c2c7fcf3b3737bf76ec572a499437807ef2
-
SHA256
929326cdad02e238d239eb6aa0d162fe2bb1f0e67538807f89f58d927cd25526
-
SHA512
ed00c0dc681d294593b8d3bfc4bff17a449003dbc383e4a82d5c1542f4a99e9ac9ea91892c66ec6f37aa45852e4b9466125496fa5c457b56b808bd2323640014
-
SSDEEP
12288:DWiAPoeMlfqU6mNxosq22XUZVAFVwmpXx1ZOrQ7K4HTN:qi5eMAU6d22XUWVwmphm
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-