General

  • Target

    eff9dc2494f14b6708a540c6a6f094b1f9286545e6d85c78923700933b9411fe

  • Size

    647KB

  • Sample

    230130-phdd8sbh8z

  • MD5

    4c1dd8060697df9261ae84d6a28d457e

  • SHA1

    d6f9d17e217fe9d7845a90cec6be43f01e31d1c5

  • SHA256

    eff9dc2494f14b6708a540c6a6f094b1f9286545e6d85c78923700933b9411fe

  • SHA512

    8b06953d3e47b6007515486732874a9c9c69ca6cde4f5f7e1fcc30d7574765eb497ea59e92e817efa87a5688f6f24dd73b655c6df01cf9f0997cf2b2732a662f

  • SSDEEP

    12288:tqDcBowWlaqMqNcv2OwGNpDdSgq0f6MikPA7Weh3ih9HeA:tqD2ow1qtcntNp4gIBkPIBYTf

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.148/china/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      eff9dc2494f14b6708a540c6a6f094b1f9286545e6d85c78923700933b9411fe

    • Size

      647KB

    • MD5

      4c1dd8060697df9261ae84d6a28d457e

    • SHA1

      d6f9d17e217fe9d7845a90cec6be43f01e31d1c5

    • SHA256

      eff9dc2494f14b6708a540c6a6f094b1f9286545e6d85c78923700933b9411fe

    • SHA512

      8b06953d3e47b6007515486732874a9c9c69ca6cde4f5f7e1fcc30d7574765eb497ea59e92e817efa87a5688f6f24dd73b655c6df01cf9f0997cf2b2732a662f

    • SSDEEP

      12288:tqDcBowWlaqMqNcv2OwGNpDdSgq0f6MikPA7Weh3ih9HeA:tqD2ow1qtcntNp4gIBkPIBYTf

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks