General

  • Target

    Confirmacion Pago del saldo.lnk

  • Size

    2KB

  • Sample

    240313-rad2xagb89

  • MD5

    a8c342249f92e8f834469cd5fe517643

  • SHA1

    bbfe62a54df0ea6bc13d470b65ecf65ffc2cff91

  • SHA256

    ac29b52dce3403d45c606e2f3c2fb81bf32d0e5368575eedbd734a647bbb1630

  • SHA512

    f780b14bce2c17be4ca0d58f818dd23f526d31566e44ae775229ef1beeaec6c94729588c71385a8a9ac382a887518037fc21367ac84a93f5dfaf1386f3ade551

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://js-hurling.com/sourcecontent/jsgnjnwjenrgwunibhbsrjhbbabrghrbgkbhrjglhgjrwrhtkjabtkghbgtrg/fjsnvkdthtgr/TvipY.exe

Extracted

Family

lokibot

C2

http://94.156.66.115:4012/dolul/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Confirmacion Pago del saldo.lnk

    • Size

      2KB

    • MD5

      a8c342249f92e8f834469cd5fe517643

    • SHA1

      bbfe62a54df0ea6bc13d470b65ecf65ffc2cff91

    • SHA256

      ac29b52dce3403d45c606e2f3c2fb81bf32d0e5368575eedbd734a647bbb1630

    • SHA512

      f780b14bce2c17be4ca0d58f818dd23f526d31566e44ae775229ef1beeaec6c94729588c71385a8a9ac382a887518037fc21367ac84a93f5dfaf1386f3ade551

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks