General

  • Target

    b266df03c57659792d1ed7f5b6e68507

  • Size

    595KB

  • Sample

    240304-r8clqsea55

  • MD5

    b266df03c57659792d1ed7f5b6e68507

  • SHA1

    b3cc97d0cdbac7735cbf05e75105fcc9b1bab26b

  • SHA256

    ef4dc347901bbc4ed2bf4bc21dc8faa2ce9691af0ba20e659ea4464320f24348

  • SHA512

    bfd2f73e5ac40b804659de5dc5a137f44588a3d000bade94896696e51254c846e9a20045fa351074c0e93067cf3881d8bdb1156b5ad31d98dc6fd952ae2a7b72

  • SSDEEP

    12288:RhRNEnAmVA1Yy0NTJHOUnn1Iv/gVjniap0BQHLpBlH5ne387utOUsR6:BvmVAl0npnn1Gjcd

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.5/sxisodifntose.php/7KyDs3toUfmfd

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      b266df03c57659792d1ed7f5b6e68507

    • Size

      595KB

    • MD5

      b266df03c57659792d1ed7f5b6e68507

    • SHA1

      b3cc97d0cdbac7735cbf05e75105fcc9b1bab26b

    • SHA256

      ef4dc347901bbc4ed2bf4bc21dc8faa2ce9691af0ba20e659ea4464320f24348

    • SHA512

      bfd2f73e5ac40b804659de5dc5a137f44588a3d000bade94896696e51254c846e9a20045fa351074c0e93067cf3881d8bdb1156b5ad31d98dc6fd952ae2a7b72

    • SSDEEP

      12288:RhRNEnAmVA1Yy0NTJHOUnn1Iv/gVjniap0BQHLpBlH5ne387utOUsR6:BvmVAl0npnn1Gjcd

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks