General

  • Target

    SalesJan2023.exe

  • Size

    705KB

  • Sample

    230131-t7k8lahb34

  • MD5

    a088dcb9ad5349ef886336c6ebfd85e7

  • SHA1

    91b430e9640c43b684d9ca98944c5b191b94c57e

  • SHA256

    365ee9ffdc4bf18f837088cb56943a90a5da4f1bd86f431abf2994e218b60e0c

  • SHA512

    15b70be528b0804b7c88d3346b740766c53b6629e9eb4e970e39e4fec6d2221204bf164598cb598b09aeae811dc60f395bdee8896b10e30528b1a992c48b45f2

  • SSDEEP

    12288:GVfHc4SeSMdN+zORpcoxr8z9i7+pvrc4N34:GVHc/ebIORpjr8zw6Rrc4N34

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha6/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SalesJan2023.exe

    • Size

      705KB

    • MD5

      a088dcb9ad5349ef886336c6ebfd85e7

    • SHA1

      91b430e9640c43b684d9ca98944c5b191b94c57e

    • SHA256

      365ee9ffdc4bf18f837088cb56943a90a5da4f1bd86f431abf2994e218b60e0c

    • SHA512

      15b70be528b0804b7c88d3346b740766c53b6629e9eb4e970e39e4fec6d2221204bf164598cb598b09aeae811dc60f395bdee8896b10e30528b1a992c48b45f2

    • SSDEEP

      12288:GVfHc4SeSMdN+zORpcoxr8z9i7+pvrc4N34:GVHc/ebIORpjr8zw6Rrc4N34

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks