General

  • Target

    d03b5d9915759485d4d43a327c9e2790

  • Size

    839KB

  • Sample

    240317-hvslcshb8t

  • MD5

    d03b5d9915759485d4d43a327c9e2790

  • SHA1

    497645abf7ab5e1b1ce28fbc76be64089a45aed7

  • SHA256

    1e3d9fa898f056afc865eff41c5069ac86c89ce226e026ffdaeb5081b0dc1d40

  • SHA512

    53647040d95dc39bd8163f8d4c88c8b0532fdf0145e1c4a15d45fcdad52d8d94d8f75f9ff6a93c47ca993cd0336b0eeaeb21f706af1bffb912e48b92a99766a2

  • SSDEEP

    12288:bfcsGI/chajO46FCsPS1rXGVIzQn5yo+jnGufWzjX17liMFO75dlGKaAOgweykiU:bvjO46FCKMG4OEXxWzjXTiMc1WBT

Malware Config

Extracted

Family

lokibot

C2

http://65.21.223.84/~t/i.html/tFOhqWyhkeGEw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      d03b5d9915759485d4d43a327c9e2790

    • Size

      839KB

    • MD5

      d03b5d9915759485d4d43a327c9e2790

    • SHA1

      497645abf7ab5e1b1ce28fbc76be64089a45aed7

    • SHA256

      1e3d9fa898f056afc865eff41c5069ac86c89ce226e026ffdaeb5081b0dc1d40

    • SHA512

      53647040d95dc39bd8163f8d4c88c8b0532fdf0145e1c4a15d45fcdad52d8d94d8f75f9ff6a93c47ca993cd0336b0eeaeb21f706af1bffb912e48b92a99766a2

    • SSDEEP

      12288:bfcsGI/chajO46FCsPS1rXGVIzQn5yo+jnGufWzjX17liMFO75dlGKaAOgweykiU:bvjO46FCKMG4OEXxWzjXTiMc1WBT

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks