General

  • Target

    20848021a4b56d6abd12e32715b29ce4

  • Size

    457KB

  • Sample

    240229-tmq84sed88

  • MD5

    20848021a4b56d6abd12e32715b29ce4

  • SHA1

    fd9ed2261fcfe189aa1a68b96a84343cc575d4be

  • SHA256

    e7024298f955778f099dd0bbd8310abb90c39088d23a3a429ca5738c4b21bc9f

  • SHA512

    20b0e709ba6e7902ebd378b8eb8cfd986369a1f735e35ae596abe08d47f0ca45f4e7f44911feaee3c76f9d6f1d1730c5798a8ffb0e082c9240378f76695990cb

  • SSDEEP

    12288:xaq/Az+p7lmOdOIrFxIpnqvS1HSnpP8UT:FozxW5gnSwHSnWU

Malware Config

Extracted

Family

lokibot

C2

http://194.55.224.16/pablo/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      20848021a4b56d6abd12e32715b29ce4

    • Size

      457KB

    • MD5

      20848021a4b56d6abd12e32715b29ce4

    • SHA1

      fd9ed2261fcfe189aa1a68b96a84343cc575d4be

    • SHA256

      e7024298f955778f099dd0bbd8310abb90c39088d23a3a429ca5738c4b21bc9f

    • SHA512

      20b0e709ba6e7902ebd378b8eb8cfd986369a1f735e35ae596abe08d47f0ca45f4e7f44911feaee3c76f9d6f1d1730c5798a8ffb0e082c9240378f76695990cb

    • SSDEEP

      12288:xaq/Az+p7lmOdOIrFxIpnqvS1HSnpP8UT:FozxW5gnSwHSnWU

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks