General

  • Target

    P.O.070623.exe.zip

  • Size

    600KB

  • Sample

    230607-nsdx3sad3w

  • MD5

    56289fe2998162541f6f4b0978d44d4a

  • SHA1

    5347d545bd3a753470b3e6f9ee466d055a467ca7

  • SHA256

    f85db12206e5a8e312a57be8470edd9173b66850a72745097a136ee519828986

  • SHA512

    370edc3a79f60fdfeb02e07e3a32d87cf454b731544477c360643fe1169bc75e16ae1ebbd8df6ceb3905b71499fa3dd373ffe6defb98fce808655de191e9b838

  • SSDEEP

    12288:6XFX+4/uNLe8qK1ujYv2GItqgUHbO+m1oZXiOt5jJ0uJldXAV:6xZ/gekcjYv2Gsq9ORMXiwjJlFE

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.60/sirR/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      P.O.070623.exe

    • Size

      681KB

    • MD5

      cb2a173f508c65bfa2223a310e7e5cda

    • SHA1

      15d31842cad840c1b43f5f816bf560b7c2560e92

    • SHA256

      4640e7f936f754a19cdbc2f5b598269de0daf3a421a9d9c283624c1a7f3775fd

    • SHA512

      dc53cac9584cc5771a5f27acd36bffdb5e19fbd4dfb39733eec4cddcd7175d95d75fa81e4a37c445a9e33165ec8d01d80edf4f6d2deb30802586aa48cfb526c7

    • SSDEEP

      12288:Dd6L7PVgfEiCbhaDnLMzIL2q+RTdOL8RQjgvMoIfYg0H1sIYdCZri+t/dJ0VotjV:YOyqGUL8RQjgvMoGYtsN2rikmA4LyFC

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks