General

  • Target

    D355C4841E3EAAC57D849EBB20B976AB3D9A8A2A12D93.exe.bin

  • Size

    1.2MB

  • Sample

    230507-hz917scf33

  • MD5

    7022efdc7290b59496df738f10ff2af8

  • SHA1

    c8010e7eefa1d6d58b48e23178947a29b8dd6649

  • SHA256

    d355c4841e3eaac57d849ebb20b976ab3d9a8a2a12d93ae6704fcc681241c785

  • SHA512

    3e82c0cabcb0ea955456bb2d28b7585f3d0bfd3be97ccbd1c4fa922932637161e65df2723b8c5853dc39446cdeb78c040ae1efb202ab6823e52238b50cd553ab

  • SSDEEP

    12288:NbbbbbbbbH77777777YazjkAame5Ug5lYjbbbbbbbbH77777777rioJY:CKkAT2P5SiV

Malware Config

Extracted

Family

pony

C2

http://ranmabo.tk/no/gate.php

Attributes
  • payload_url

    http://magic-skid.com/shit.exe

    http://skid.com/calculator.exe

Extracted

Family

lokibot

C2

http://matbin.com/doc/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      D355C4841E3EAAC57D849EBB20B976AB3D9A8A2A12D93.exe.bin

    • Size

      1.2MB

    • MD5

      7022efdc7290b59496df738f10ff2af8

    • SHA1

      c8010e7eefa1d6d58b48e23178947a29b8dd6649

    • SHA256

      d355c4841e3eaac57d849ebb20b976ab3d9a8a2a12d93ae6704fcc681241c785

    • SHA512

      3e82c0cabcb0ea955456bb2d28b7585f3d0bfd3be97ccbd1c4fa922932637161e65df2723b8c5853dc39446cdeb78c040ae1efb202ab6823e52238b50cd553ab

    • SSDEEP

      12288:NbbbbbbbbH77777777YazjkAame5Ug5lYjbbbbbbbbH77777777rioJY:CKkAT2P5SiV

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Tasks