General

  • Target

    b3a855b248ac981f2edca2e162d51509

  • Size

    679KB

  • Sample

    240305-dz9m8adc6v

  • MD5

    b3a855b248ac981f2edca2e162d51509

  • SHA1

    d98eac5aa7d9fe044ba0ea1970e96258ce8a2ae1

  • SHA256

    4f6d66cea6a8dcd4a29089e58d5adc3858445d4bba816fb2aa6ebc9cecfea68b

  • SHA512

    99b4ba5a150df36fd6d6a6fea4ced94fb3f40c0baf2374c279b1ec0e06848f74289750661f0c218b007b70e47bcf6d4bd1ddf32b433048c6541ac64abd888444

  • SSDEEP

    12288:kuVE2anr5O/FoYHYciqIME/vgflTYNEicq0GN/Z9lOWTUwNK5JOEPpBja:JE2ar5FYHz5IB/kRYNEicq0GlNOWzSHa

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.5/sxisodifntose.php/7KyDs3toUfmfd

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      b3a855b248ac981f2edca2e162d51509

    • Size

      679KB

    • MD5

      b3a855b248ac981f2edca2e162d51509

    • SHA1

      d98eac5aa7d9fe044ba0ea1970e96258ce8a2ae1

    • SHA256

      4f6d66cea6a8dcd4a29089e58d5adc3858445d4bba816fb2aa6ebc9cecfea68b

    • SHA512

      99b4ba5a150df36fd6d6a6fea4ced94fb3f40c0baf2374c279b1ec0e06848f74289750661f0c218b007b70e47bcf6d4bd1ddf32b433048c6541ac64abd888444

    • SSDEEP

      12288:kuVE2anr5O/FoYHYciqIME/vgflTYNEicq0GN/Z9lOWTUwNK5JOEPpBja:JE2ar5FYHz5IB/kRYNEicq0GlNOWzSHa

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks