General

  • Target

    d0aea2803d563d223c48c97f8db8cdf6

  • Size

    840KB

  • Sample

    240317-mwjgascf39

  • MD5

    d0aea2803d563d223c48c97f8db8cdf6

  • SHA1

    b0b86b8542f896d0c143d929bf7e5a67d5457a6d

  • SHA256

    2ae2e3559573b743f0323ac945af2a16865fa6290c57a9eaecfb7402f8f15779

  • SHA512

    b686e4569bab633848c06eb04ccb4f175f45db778a00e517a8382cdb7ee8b0d279fa42f535dffd4c1a161de1bb3e3f513573b92fd90e7f608035c29c71f29190

  • SSDEEP

    12288:dGBF2sBo66KI5yglTpUIpm65E8dQkuqCVuVi4/hgVv0m+1aC1k7nji3Jg2c/ZKQq:dwFBoS6Hh5ZdqVRi7

Malware Config

Extracted

Family

lokibot

C2

http://192.236.162.234/oga/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      d0aea2803d563d223c48c97f8db8cdf6

    • Size

      840KB

    • MD5

      d0aea2803d563d223c48c97f8db8cdf6

    • SHA1

      b0b86b8542f896d0c143d929bf7e5a67d5457a6d

    • SHA256

      2ae2e3559573b743f0323ac945af2a16865fa6290c57a9eaecfb7402f8f15779

    • SHA512

      b686e4569bab633848c06eb04ccb4f175f45db778a00e517a8382cdb7ee8b0d279fa42f535dffd4c1a161de1bb3e3f513573b92fd90e7f608035c29c71f29190

    • SSDEEP

      12288:dGBF2sBo66KI5yglTpUIpm65E8dQkuqCVuVi4/hgVv0m+1aC1k7nji3Jg2c/ZKQq:dwFBoS6Hh5ZdqVRi7

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks