General

  • Target

    número de pedido 675432.exe

  • Size

    752KB

  • Sample

    230202-xbrmaacg58

  • MD5

    9e1935a47f0fc0de66b4a98556336d46

  • SHA1

    8cacf3fa719e158213189b0ec89f8813c4d21297

  • SHA256

    e973ddbe5be12de3bb6c48532e99abd8a5e9b44b084a388c89690309c7c38da5

  • SHA512

    93d5f772f3ca308cb9c249c70e5a538ec399e3db902d945f6ee4d08ff399947a4a0d35899b1dc9ebc47d37b6693db5a8787386498e8eeb152c172c924c23590a

  • SSDEEP

    12288:f2iNZlSE+AB6Fy2Mxz0hAy9yVrNgFW9zktGU83Sg43pqG4yPa:f1dH+AB6F0x10yFFVktGz3tYpqG4yPa

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha8/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      número de pedido 675432.exe

    • Size

      752KB

    • MD5

      9e1935a47f0fc0de66b4a98556336d46

    • SHA1

      8cacf3fa719e158213189b0ec89f8813c4d21297

    • SHA256

      e973ddbe5be12de3bb6c48532e99abd8a5e9b44b084a388c89690309c7c38da5

    • SHA512

      93d5f772f3ca308cb9c249c70e5a538ec399e3db902d945f6ee4d08ff399947a4a0d35899b1dc9ebc47d37b6693db5a8787386498e8eeb152c172c924c23590a

    • SSDEEP

      12288:f2iNZlSE+AB6Fy2Mxz0hAy9yVrNgFW9zktGU83Sg43pqG4yPa:f1dH+AB6F0x10yFFVktGz3tYpqG4yPa

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks