General

  • Target

    PUSD9212304_pdf.exe

  • Size

    495KB

  • Sample

    240305-jktaksag34

  • MD5

    4e6d5263bd97cca12e0b97d89d835d88

  • SHA1

    a17e6d89373f2955aa3c9b0f8f362f1c0605abd8

  • SHA256

    61d2d93c84dfd913dbb976c21fdd3d87dd3100e9035e4dd04b3c5f4c3c705085

  • SHA512

    69334afe3ab25369a4c2fce6926a38e293477283a91adb155fdaead9b24985e46e7befc33cabfdd0edef9d8458d679d40c6faca9adc44a439d2c77ee54a4fc19

  • SSDEEP

    12288:LBHwI2ZTWUqDcVedlD9ft8Ep4uAjt4SLD5wtbg9Q93:LBHwID4edxFt8849t4UDytH9

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PUSD9212304_pdf.exe

    • Size

      495KB

    • MD5

      4e6d5263bd97cca12e0b97d89d835d88

    • SHA1

      a17e6d89373f2955aa3c9b0f8f362f1c0605abd8

    • SHA256

      61d2d93c84dfd913dbb976c21fdd3d87dd3100e9035e4dd04b3c5f4c3c705085

    • SHA512

      69334afe3ab25369a4c2fce6926a38e293477283a91adb155fdaead9b24985e46e7befc33cabfdd0edef9d8458d679d40c6faca9adc44a439d2c77ee54a4fc19

    • SSDEEP

      12288:LBHwI2ZTWUqDcVedlD9ft8Ep4uAjt4SLD5wtbg9Q93:LBHwID4edxFt8849t4UDytH9

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks