General

  • Target

    gotohttp_x64.zip

  • Size

    915KB

  • Sample

    240308-xq2qsseh6t

  • MD5

    1e504376f0fd2c919084ea8f3282c342

  • SHA1

    00997bff80aaa81debb6ed61957515a9b2237f3e

  • SHA256

    379ab42eadf2f3e0a552aeb280ffe7e2616c64e6eb96a9dbfcd4429b0ba67fb3

  • SHA512

    f637d2334d5cf31b375c59a338ab7802bc3b74b1a26cf328bd058989e9ded4d3c14c6b572531995a5c7ccf409f546b96618c766e681d83df904fbfe8efccba24

  • SSDEEP

    24576:Ou7s2sHuNvsj6SkEs7cdT8YKUb0iEN8blY:6Ru1sj8cdwO00blY

Malware Config

Extracted

Family

lokibot

C2

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      GotoHTTP_x64.exe

    • Size

      2.2MB

    • MD5

      dcf8c8ef55fd294027997128de155b9f

    • SHA1

      a7ca95740760a4bb57ef61814ec1579568fbffa2

    • SHA256

      236c90cde83b3dc403c3c186193b0d2cd14b067f6b4c840d5f0baee57840eba9

    • SHA512

      81a9c914c4ce6da21231d1d6cdab1a720935f3e20eef16136ff07293c9edfc4ed7e9ad3b909ed4ff88dd437ae8afeb12c0f3b81712b41486c18f695d0e7e033f

    • SSDEEP

      49152:V2JQb0rvdEeF5XsHuCmDKTkB7a1GwvvnE0jVBTs6vUaB:5wHH0kUHZjA6v/B

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks