General

  • Target

    931e722f5e3571939e8503189b782db0.bin

  • Size

    359KB

  • Sample

    230621-bxgtbafb45

  • MD5

    fc2ed6ae1082a9bc61404149faf96822

  • SHA1

    ee574e8f7d29a7124e40416fdcfbf4cbcb4d7756

  • SHA256

    9e83add29e1a91adef77f392e2e6eb03976df2ea4c91263ecac3762e5b433332

  • SHA512

    79a3ec5e22e873beb3d4ea896360eaef85768e697bf474bd979de24075aa3f29b82b25924bd0991ecabc3099f2f266c444ea62a56f2687e28cff517624fdb720

  • SSDEEP

    6144:BA7VPF0RZC7PO9ZQ1/Nw6DlM8A0yr+3cUkwtpSTrlOGTDqtd5RAlcvJTQj4:YPF1O9ZQfVA0yr+3lzPSH0cKWk

Malware Config

Extracted

Family

lokibot

C2

http://hmsd.us/loki/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3dd7f1720261b8846b6d2fb7fda89dcbc93fdbc7b69f7c49301daa5add74838d.exe

    • Size

      511KB

    • MD5

      931e722f5e3571939e8503189b782db0

    • SHA1

      b37014f66d8b904725f488e9b8b8480675147314

    • SHA256

      3dd7f1720261b8846b6d2fb7fda89dcbc93fdbc7b69f7c49301daa5add74838d

    • SHA512

      4ad44b17cc9aa24c8277f78beaebca173256db59edf10a78ceab2bd1ad56b5336be74e55d44b0c00f2dddd41b97a94588aea6dc35da8f0c7d21518842251253a

    • SSDEEP

      6144:2qJsocMS507SQfzFp6Wndk9YvhVTcgL/dpd1N/trCSeL2o6/n0h+ag1CWQbSfQqJ:jJsocMd7RpR66QgL/TdPUSL8EKqfEY

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks