General

  • Target

    7c823274ec6a711a73c4c7df54d1d4cd.zip

  • Size

    19KB

  • Sample

    230606-q4pvtsee5y

  • MD5

    c4bbaa48f29960ee2722011afd3f03da

  • SHA1

    6a5e8768ee4695232e15270c78f3f5a2d6899f9b

  • SHA256

    e75d2043a1eb7b4b789fe658bfcd288acde0447d7e44640fb3e14c9da7a6e0fb

  • SHA512

    f3ead62d34c03859029fba78fb1027cdafcd5b1594fb9cf7809bad8c1db5b8c9fc055629010dade5bf2528d056cfe369262a41f7d230012731c918352a67b9f7

  • SSDEEP

    384:w+4BvaMRofJWUgY0Hr16FyXz0WVnjpEiCa9/:zep2zgY4oF4AWLzd/

Malware Config

Extracted

Family

lokibot

C2

http://efvsx.cf/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Megrendelés_(P.O_5029063)_FANUC.exe

    • Size

      37KB

    • MD5

      7c823274ec6a711a73c4c7df54d1d4cd

    • SHA1

      8c78efece5e8c83205df2b18390b3e53396bd237

    • SHA256

      b432b8aa06d6977b2f87eafa17634e0fded464c7a521e0120c393c4f4d084fc9

    • SHA512

      f6e14be4995d1f74ee9c18f2797035a99ddb95f62f3d1c9dd8b522da290e94e8a32f6a739ee4e930f2c9d3f93eb35cff33b44a8d8bd915b1d0fee14b19e8c475

    • SSDEEP

      768:bNyecx7gKng+pF0WeIUDNC6YGcoMcRC7n8Yila:b0ecx7g+70dIUpC6YFoFo78lla

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks