General

  • Target

    A230F0A094F4F90C0353688E60A8705B4396970DE6FE34C9C62C077003529DC7

  • Size

    393KB

  • Sample

    221123-r2taxadb5s

  • MD5

    9433034c2cfa6b182409561cc01173fe

  • SHA1

    9026d31a8fbffb73ee642cf42479a71e982eb4bc

  • SHA256

    a230f0a094f4f90c0353688e60a8705b4396970de6fe34c9c62c077003529dc7

  • SHA512

    7e841ba908930f92d317243a6e710b4baf823bacc0dbfe4ecfb06a6a7a9a5dba2ce569e4eba71dafef985e75bba1bdea299607a835ccb24dc736107407915cd0

  • SSDEEP

    12288:OdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmYjTm7TmD9JIxWZaTtg/g6Rm:tr5XXXXXXXXXXXXUXXXXXXXrXXXXXXX2

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gk22/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      A230F0A094F4F90C0353688E60A8705B4396970DE6FE34C9C62C077003529DC7

    • Size

      393KB

    • MD5

      9433034c2cfa6b182409561cc01173fe

    • SHA1

      9026d31a8fbffb73ee642cf42479a71e982eb4bc

    • SHA256

      a230f0a094f4f90c0353688e60a8705b4396970de6fe34c9c62c077003529dc7

    • SHA512

      7e841ba908930f92d317243a6e710b4baf823bacc0dbfe4ecfb06a6a7a9a5dba2ce569e4eba71dafef985e75bba1bdea299607a835ccb24dc736107407915cd0

    • SSDEEP

      12288:OdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmYjTm7TmD9JIxWZaTtg/g6Rm:tr5XXXXXXXXXXXXUXXXXXXXrXXXXXXX2

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks