Resubmissions

24-02-2024 22:23

240224-2a5jzagf3s 10

24-02-2024 22:21

240224-19156age7z 10

24-02-2024 16:07

240224-tkwqtaha2w 10

General

  • Target

    a23b318f6c7118191e14c01fe72b65fc

  • Size

    759KB

  • Sample

    240224-2a5jzagf3s

  • MD5

    a23b318f6c7118191e14c01fe72b65fc

  • SHA1

    37bb0fd931a1e2ccd5fc86daef66c82f578167de

  • SHA256

    954d1ef6afce8843a96769f710d52f407777a6c294ecb3539da592f3f72a560c

  • SHA512

    6ef2bf44fc3d2d155569515b0785073427ed932e6b66811da51794d6231b0b354b50bc93aa2e12b6cee81f40bde5d642cf06bb8ad04da16f1734f6bc32d65462

  • SSDEEP

    12288:UCmVxUin/gQJ2Rhf4ApQJQkKFF65JYHH+L8ElJ8hr3inBd+6ASYnwT0N/b1VrwV9:hmVxUOJwf4uQakQHHsAwjLAT7mo5oFCd

Malware Config

Extracted

Family

lokibot

C2

https://vihaiha.com/.vik/aill/hall/the/new/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a23b318f6c7118191e14c01fe72b65fc

    • Size

      759KB

    • MD5

      a23b318f6c7118191e14c01fe72b65fc

    • SHA1

      37bb0fd931a1e2ccd5fc86daef66c82f578167de

    • SHA256

      954d1ef6afce8843a96769f710d52f407777a6c294ecb3539da592f3f72a560c

    • SHA512

      6ef2bf44fc3d2d155569515b0785073427ed932e6b66811da51794d6231b0b354b50bc93aa2e12b6cee81f40bde5d642cf06bb8ad04da16f1734f6bc32d65462

    • SSDEEP

      12288:UCmVxUin/gQJ2Rhf4ApQJQkKFF65JYHH+L8ElJ8hr3inBd+6ASYnwT0N/b1VrwV9:hmVxUOJwf4uQakQHHsAwjLAT7mo5oFCd

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Rule to detect Lockbit 3.0 ransomware Windows payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

    • Modifies RDP port number used by Windows

    • Sets file execution options in registry

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Detected potential entity reuse from brand microsoft.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks