General

  • Target

    acef407cd9b335c0c1ca6582aef98d35.bin

  • Size

    851KB

  • Sample

    240301-dba5rabc72

  • MD5

    acef407cd9b335c0c1ca6582aef98d35

  • SHA1

    28569bb0962cbe06d1344a61aa8c426746494632

  • SHA256

    2706cd9c8993267a695a8580ff5987c821093bfea0de05b561a98ac020b373ee

  • SHA512

    3a4802a7b378a8b3cfdfcc1bff108756d3cf30a4d9218fdcfcc55000093a3a2951bb0238d6ab199eade72966984446ffd4120fa6b69ba1df30f8f1900cfc856c

  • SSDEEP

    12288:7E3CyWQuuvDBddbgYUhKyW585/Fy02EfedMWr5mpmZb03629fZQCcgV8oVe0mo5g:7UrTuMddMYUs+XaECMuBSR1kgV8YE4g

Malware Config

Extracted

Family

lokibot

C2

http://192.236.179.121/new/zubby/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      acef407cd9b335c0c1ca6582aef98d35.bin

    • Size

      851KB

    • MD5

      acef407cd9b335c0c1ca6582aef98d35

    • SHA1

      28569bb0962cbe06d1344a61aa8c426746494632

    • SHA256

      2706cd9c8993267a695a8580ff5987c821093bfea0de05b561a98ac020b373ee

    • SHA512

      3a4802a7b378a8b3cfdfcc1bff108756d3cf30a4d9218fdcfcc55000093a3a2951bb0238d6ab199eade72966984446ffd4120fa6b69ba1df30f8f1900cfc856c

    • SSDEEP

      12288:7E3CyWQuuvDBddbgYUhKyW585/Fy02EfedMWr5mpmZb03629fZQCcgV8oVe0mo5g:7UrTuMddMYUs+XaECMuBSR1kgV8YE4g

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks