Resubmissions

09/03/2024, 08:48

240309-kqd9aafb5w 10

09/03/2024, 08:45

240309-knp8rsec38 1

General

  • Target

    https://s3.eu-central-1.amazonaws.com/dasmalwerk/downloads/12256ae063a7afb4bffdd880d213a272b4d0b1cbfbdf0b5334cd4a0ad5693844/12256ae063a7afb4bffdd880d213a272b4d0b1cbfbdf0b5334cd4a0ad5693844.zip

  • Sample

    240309-kqd9aafb5w

Malware Config

Extracted

Family

lokibot

C2

http://

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      https://s3.eu-central-1.amazonaws.com/dasmalwerk/downloads/12256ae063a7afb4bffdd880d213a272b4d0b1cbfbdf0b5334cd4a0ad5693844/12256ae063a7afb4bffdd880d213a272b4d0b1cbfbdf0b5334cd4a0ad5693844.zip

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks