General
-
Target
crypt.exe
-
Size
200KB
-
Sample
230130-k2rczshh29
-
MD5
a0463e7df09f9acc1534613cd0ac2086
-
SHA1
ee94c6c745c565d9aa80a7052c18646f6ac0ded8
-
SHA256
c7fffe65298633558ce7773af201a4d3fba2c082f309c924e07a5a0cd2642547
-
SHA512
ed115fa597267e8ab19703b6bc03d614dc8f2ab354cd1ce9a29a9c0e2b88be306486acf5c11f361863a8c4676590c0d637dcc85fc66281494400a0d55f69549a
-
SSDEEP
3072:HfY/TU9fE9PEtu9bZ1pPPJOBgG+ADhnYn5VUOsJ6P7T943GwPY5RWORN96:/Ya6LvpwGG+uhnCV5sIPX9goE
Malware Config
Extracted
lokibot
http://185.246.220.60/jt/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
crypt.exe
-
Size
200KB
-
MD5
a0463e7df09f9acc1534613cd0ac2086
-
SHA1
ee94c6c745c565d9aa80a7052c18646f6ac0ded8
-
SHA256
c7fffe65298633558ce7773af201a4d3fba2c082f309c924e07a5a0cd2642547
-
SHA512
ed115fa597267e8ab19703b6bc03d614dc8f2ab354cd1ce9a29a9c0e2b88be306486acf5c11f361863a8c4676590c0d637dcc85fc66281494400a0d55f69549a
-
SSDEEP
3072:HfY/TU9fE9PEtu9bZ1pPPJOBgG+ADhnYn5VUOsJ6P7T943GwPY5RWORN96:/Ya6LvpwGG+uhnCV5sIPX9goE
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-