General

  • Target

    931e722f5e3571939e8503189b782db0.exe

  • Size

    511KB

  • Sample

    230619-t1cymsgb8w

  • MD5

    931e722f5e3571939e8503189b782db0

  • SHA1

    b37014f66d8b904725f488e9b8b8480675147314

  • SHA256

    3dd7f1720261b8846b6d2fb7fda89dcbc93fdbc7b69f7c49301daa5add74838d

  • SHA512

    4ad44b17cc9aa24c8277f78beaebca173256db59edf10a78ceab2bd1ad56b5336be74e55d44b0c00f2dddd41b97a94588aea6dc35da8f0c7d21518842251253a

  • SSDEEP

    6144:2qJsocMS507SQfzFp6Wndk9YvhVTcgL/dpd1N/trCSeL2o6/n0h+ag1CWQbSfQqJ:jJsocMd7RpR66QgL/TdPUSL8EKqfEY

Malware Config

Extracted

Family

lokibot

C2

http://hmsd.us/loki/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      931e722f5e3571939e8503189b782db0.exe

    • Size

      511KB

    • MD5

      931e722f5e3571939e8503189b782db0

    • SHA1

      b37014f66d8b904725f488e9b8b8480675147314

    • SHA256

      3dd7f1720261b8846b6d2fb7fda89dcbc93fdbc7b69f7c49301daa5add74838d

    • SHA512

      4ad44b17cc9aa24c8277f78beaebca173256db59edf10a78ceab2bd1ad56b5336be74e55d44b0c00f2dddd41b97a94588aea6dc35da8f0c7d21518842251253a

    • SSDEEP

      6144:2qJsocMS507SQfzFp6Wndk9YvhVTcgL/dpd1N/trCSeL2o6/n0h+ag1CWQbSfQqJ:jJsocMd7RpR66QgL/TdPUSL8EKqfEY

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks