General
-
Target
-Invoice.zip
-
Size
168KB
-
Sample
230418-tt8fzacf46
-
MD5
56754f524dccbd3cb5c7cddae9c7fd14
-
SHA1
ad77bdac813ffe7df2ed1a60eeb248c85bd84a21
-
SHA256
7285ced65b625a2bd6b8c57838d6c4d378487d9f9e1f508e094c768cec06b1a3
-
SHA512
7a9b80ade5f9fde0abb46396d4bce16a7f967e2b43c27f947797cc0db45486dc5bd37c54f71a4de1009bea5a8a345e866732141f2c3a909db413a6113fecc59a
-
SSDEEP
3072:hpOz8IaLHsOuyXOaIglcQJ0Z0be+Cb+ltRqvINHZC6zENRymNW/RP8ntM9SKcoiA:hpU8PLzxOaIPwbYb+HQAhZnyT+9Sii1i
Malware Config
Extracted
lokibot
http://185.246.220.60/project/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
-Invoice.exe
-
Size
183KB
-
MD5
2e7f6e052cb4f9700bb6bdd08df00e5b
-
SHA1
2b880c88b06118959799fce8e1038cc5c91f4f09
-
SHA256
1897e810d8f4a5f2ecd53a5abba88dca5d94137fd9e6427c7529313cc7af5196
-
SHA512
18515e9df96dda75a43cb1561921e744213d98533039c4c556401143ce0d632f2bcfedbf9321abcd9c5ddf9fef6f6a6d1a17170dcb17b304a25ec73f7a24cb07
-
SSDEEP
3072:HfY/TU9fE9PEtu0b1JF+aIglcYJ0Z0bo+Cb+ltRqv4NHZC6hENRymrW/RPyntK9w:/Ya6A1maIPobmb+HQAhZNytc9S1i1A
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-