General

  • Target

    HSBC Swift.exe

  • Size

    594KB

  • Sample

    230328-hvcvxabc6t

  • MD5

    d9a072246ed0a96136fc498cb6e76b2a

  • SHA1

    916a43f3334916887712733881e2c4d2533b6da4

  • SHA256

    462980f3af609772be260792b702a118fb2e87ded7dfe87bf5a75a13b37277d6

  • SHA512

    01a8da1a606c31198a6fe807da1e49c185e010d4610e7bbea967a916f116deecd9becbfd69bbc0fbfb7a152beb36d51340f765982c0bc028701d301b7dfdb42c

  • SSDEEP

    6144:R92Nj7FNKuggE/ZsIMg+Emf5U5+G9JVJgI2idTWkzZaD9Ysi84OI3qMeYsyfjlFa:nsxu7V/2iFzZaesiWQse21U1thhhSBF

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha22/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      HSBC Swift.exe

    • Size

      594KB

    • MD5

      d9a072246ed0a96136fc498cb6e76b2a

    • SHA1

      916a43f3334916887712733881e2c4d2533b6da4

    • SHA256

      462980f3af609772be260792b702a118fb2e87ded7dfe87bf5a75a13b37277d6

    • SHA512

      01a8da1a606c31198a6fe807da1e49c185e010d4610e7bbea967a916f116deecd9becbfd69bbc0fbfb7a152beb36d51340f765982c0bc028701d301b7dfdb42c

    • SSDEEP

      6144:R92Nj7FNKuggE/ZsIMg+Emf5U5+G9JVJgI2idTWkzZaD9Ysi84OI3qMeYsyfjlFa:nsxu7V/2iFzZaesiWQse21U1thhhSBF

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Collection

Email Collection

1
T1114

Tasks