General

  • Target

    OC 040-557.PDF.exe

  • Size

    129KB

  • Sample

    221031-1wv2zsedbn

  • MD5

    ebf76e2d443b779c9c1df77ffdbf5375

  • SHA1

    5d78606304d0fda16906f6739c691df1c652a32f

  • SHA256

    fb71588ec4287cc5163421466b826efc368207201324bb556d652dc5e3ab03fa

  • SHA512

    1bc802c161b067ef82af0f8e0525df9b2748d0d57d501cdc296d46ed0a8c0aab2c0c7dbfe4c442f20f213f417f530243cc2e0fa033bf21e2d506445c50862e10

  • SSDEEP

    3072:NUJoFfWzzl+c3AM3hfFjOjqQm2z4hmZ/rgbARkC:NweEv3VFv2YyMe

Malware Config

Extracted

Family

lokibot

C2

http://wexno.us/ho/sk/ironm.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      OC 040-557.PDF.exe

    • Size

      129KB

    • MD5

      ebf76e2d443b779c9c1df77ffdbf5375

    • SHA1

      5d78606304d0fda16906f6739c691df1c652a32f

    • SHA256

      fb71588ec4287cc5163421466b826efc368207201324bb556d652dc5e3ab03fa

    • SHA512

      1bc802c161b067ef82af0f8e0525df9b2748d0d57d501cdc296d46ed0a8c0aab2c0c7dbfe4c442f20f213f417f530243cc2e0fa033bf21e2d506445c50862e10

    • SSDEEP

      3072:NUJoFfWzzl+c3AM3hfFjOjqQm2z4hmZ/rgbARkC:NweEv3VFv2YyMe

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks