General

  • Target

    b1f8160c5b8b4318543fe49946da025e

  • Size

    874KB

  • Sample

    240304-m7nkdshg72

  • MD5

    b1f8160c5b8b4318543fe49946da025e

  • SHA1

    4c877a0f62f7b5300b24b416a084b178c6ed7998

  • SHA256

    519168235df4b84e9d493e8d4d1cd5c013a6981b01dfc47e68b44bdeaa975a5c

  • SHA512

    5a20453132ed3bc563161521f133a91b23b5847c5fc2494145f8ab986cece2f5c9ca6298a075b9d3a12996f0f9479cab06ec00d8e4d6f997291896c64ecebd07

  • SSDEEP

    24576:EWmTGdGMc8DS/d3YK64JhKE92KpxoZQiW0:7XK64JT92xw

Malware Config

Extracted

Family

lokibot

C2

http://manvim.co/fd5/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      b1f8160c5b8b4318543fe49946da025e

    • Size

      874KB

    • MD5

      b1f8160c5b8b4318543fe49946da025e

    • SHA1

      4c877a0f62f7b5300b24b416a084b178c6ed7998

    • SHA256

      519168235df4b84e9d493e8d4d1cd5c013a6981b01dfc47e68b44bdeaa975a5c

    • SHA512

      5a20453132ed3bc563161521f133a91b23b5847c5fc2494145f8ab986cece2f5c9ca6298a075b9d3a12996f0f9479cab06ec00d8e4d6f997291896c64ecebd07

    • SSDEEP

      24576:EWmTGdGMc8DS/d3YK64JhKE92KpxoZQiW0:7XK64JT92xw

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks