General

  • Target

    b4a4da0e2f4a40c5c37ac9542653dd85

  • Size

    505KB

  • Sample

    240305-n471asfa54

  • MD5

    b4a4da0e2f4a40c5c37ac9542653dd85

  • SHA1

    2d69e8e3a25e01fe0c7b9e7f7de8479d641665fd

  • SHA256

    fdfd577e66b1db53a9e7388c779cacbb7d47397ef8f5550a33777826173ac000

  • SHA512

    c32ce3b3020ea90bc90fa9ec652e97e2c56124bcb36846a282aacdbade719ba33932d7f940b08321fe7b16f1a61f49de9c125fe69b9cd26b4ff1ba064e9fe46b

  • SSDEEP

    12288:zPEmcXSwQ+poFHMzMv28Z6qDKV0H0BmS3GRevVYLWb2k:zPEmcSwq68Z/DQXGRr62k

Malware Config

Extracted

Family

lokibot

C2

http://eneos.com.tw/includes/imt/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      IP08323_21 ROLLERS.exe

    • Size

      694KB

    • MD5

      46bba4d60a7d0a6f3ea41d8f2d1ff5a8

    • SHA1

      0e7c0cafea163a2d27a6165cb4cda1afc196531f

    • SHA256

      81a4aaff9520803ff6cb7f1100024e0c2bc40750c05290f53c5e01b5cff6a59c

    • SHA512

      a2e498ba924405cac6f9ccc6279697725a33ec1a939db2a55a5e337580afc5f37682bdf14deee1221cb192e57de1f23b58a1d9731538063b6a272e85fc0c9442

    • SSDEEP

      12288:h1Wl8T5zM63xjme3fHhtQFGHykkEJVNuoJy:hA2Vdx/htQUSNQvU

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks