General

  • Target

    af60bffbeb6ea0bda2e965bfacde58b4

  • Size

    370KB

  • Sample

    240229-y22evabg64

  • MD5

    af60bffbeb6ea0bda2e965bfacde58b4

  • SHA1

    4927e54a99625475c2bc15c203b8e7e34c15afb5

  • SHA256

    8487ec9e7929cead8c5dcea98ee74b8e1735d53d5ca7993f93b37892fe3c6364

  • SHA512

    98279350a800dbb113835c5fdc8a27573080f687c4829ac2ad2ab31f8204cf34e7e5c249b48830292143e271f11e6474f5930416599d53f870f40df2a8b2d269

  • SSDEEP

    6144:jTPrps7OG73r52XgTyxza4VoN++ZY3sMl0lDcn4FpidQybCIjp2Fz8cy5J360bcb:vtspzr52bm4VoNsyS4FYgW2J8v5JK8wD

Malware Config

Extracted

Family

lokibot

C2

http://23.95.132.48/~main/.isuoxiso/w.php/4X0DZyvYsANUg

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      af60bffbeb6ea0bda2e965bfacde58b4

    • Size

      370KB

    • MD5

      af60bffbeb6ea0bda2e965bfacde58b4

    • SHA1

      4927e54a99625475c2bc15c203b8e7e34c15afb5

    • SHA256

      8487ec9e7929cead8c5dcea98ee74b8e1735d53d5ca7993f93b37892fe3c6364

    • SHA512

      98279350a800dbb113835c5fdc8a27573080f687c4829ac2ad2ab31f8204cf34e7e5c249b48830292143e271f11e6474f5930416599d53f870f40df2a8b2d269

    • SSDEEP

      6144:jTPrps7OG73r52XgTyxza4VoN++ZY3sMl0lDcn4FpidQybCIjp2Fz8cy5J360bcb:vtspzr52bm4VoNsyS4FYgW2J8v5JK8wD

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks