General

  • Target

    b9ff83bfec02bbaba2e8966e3923e08238e295dc9e66b139df4ba1c3f024a8d9

  • Size

    668KB

  • Sample

    230201-qt3nyaae3w

  • MD5

    06f61b2e8dcaeb8e8a1e80611d53baa5

  • SHA1

    e97262db5f421274929d9d190d9f45734737f201

  • SHA256

    b9ff83bfec02bbaba2e8966e3923e08238e295dc9e66b139df4ba1c3f024a8d9

  • SHA512

    e834bf7fe272a929a9b3b93e7e0786e9ada09fc42e76049845909a140b5b94cac22174462d7af72c09b90566e0af3b81c32e18a043d7cf7d8ce4e4b22b25b9b1

  • SSDEEP

    12288:ttz8L6guub02iDBd0ER+pVj4pmLoU25nntk6PUi+9xMRSR5SWqG4yPa:wLz0LDwIij4cLNItvX4yRU5JqG4yPa

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      b9ff83bfec02bbaba2e8966e3923e08238e295dc9e66b139df4ba1c3f024a8d9

    • Size

      668KB

    • MD5

      06f61b2e8dcaeb8e8a1e80611d53baa5

    • SHA1

      e97262db5f421274929d9d190d9f45734737f201

    • SHA256

      b9ff83bfec02bbaba2e8966e3923e08238e295dc9e66b139df4ba1c3f024a8d9

    • SHA512

      e834bf7fe272a929a9b3b93e7e0786e9ada09fc42e76049845909a140b5b94cac22174462d7af72c09b90566e0af3b81c32e18a043d7cf7d8ce4e4b22b25b9b1

    • SSDEEP

      12288:ttz8L6guub02iDBd0ER+pVj4pmLoU25nntk6PUi+9xMRSR5SWqG4yPa:wLz0LDwIij4cLNItvX4yRU5JqG4yPa

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks