General

  • Target

    8a499e05589f930eb309f2bef2c5a920c675bb7c8675a46b6a0da0dbb3b78292

  • Size

    888KB

  • Sample

    230121-d2jjtacd3t

  • MD5

    f15cf7168d5d33becc22eee77cced430

  • SHA1

    fd21eb4c9f05ecc4c29049bd11c3dc30f18ec3c7

  • SHA256

    8a499e05589f930eb309f2bef2c5a920c675bb7c8675a46b6a0da0dbb3b78292

  • SHA512

    e3c33cbb2677b04741dddfa16e7114d928553c6d8fe83034bb0294d0c76c42e95d9b85a45837a366969ecd25f2f329d7ff1441f8791d8f2a24414afcd2929388

  • SSDEEP

    12288:mLNUQ97VQgh/f0BeGJwvioJi9u2XyDRRS8fWLRydcf8w2WRoIU1Gh:mRBbQgh/f0BWdcNy1RSwbceIU1G

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.148/zang/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      8a499e05589f930eb309f2bef2c5a920c675bb7c8675a46b6a0da0dbb3b78292

    • Size

      888KB

    • MD5

      f15cf7168d5d33becc22eee77cced430

    • SHA1

      fd21eb4c9f05ecc4c29049bd11c3dc30f18ec3c7

    • SHA256

      8a499e05589f930eb309f2bef2c5a920c675bb7c8675a46b6a0da0dbb3b78292

    • SHA512

      e3c33cbb2677b04741dddfa16e7114d928553c6d8fe83034bb0294d0c76c42e95d9b85a45837a366969ecd25f2f329d7ff1441f8791d8f2a24414afcd2929388

    • SSDEEP

      12288:mLNUQ97VQgh/f0BeGJwvioJi9u2XyDRRS8fWLRydcf8w2WRoIU1Gh:mRBbQgh/f0BWdcNy1RSwbceIU1G

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks