General

  • Target

    d7d72ab4886998af64187027be3daeb9

  • Size

    470KB

  • Sample

    240320-ems1dagg8w

  • MD5

    d7d72ab4886998af64187027be3daeb9

  • SHA1

    4950728685c38d6f9835356b76b13d5daf461353

  • SHA256

    7ab995509fe427c2646b10be0715c40138ef4da7da41101452c66cf42e081c7d

  • SHA512

    ae8aa5a1a644c34c72ecc18fc18d2e8476386f1737183e794b8e1b16516d1a1ea1133ae41c40b7ba04e5ecf4c4c0011b5e571425c1c6bb6ca9e6125960f550d6

  • SSDEEP

    12288:Dw8JnZwcBM92krSXo64JkiLVotV4cLcvTTXxco3zSKa:5JlxkrCrWyt

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.5/sxisodifntose.php/Bgk1JOCIxEmrB

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      d7d72ab4886998af64187027be3daeb9

    • Size

      470KB

    • MD5

      d7d72ab4886998af64187027be3daeb9

    • SHA1

      4950728685c38d6f9835356b76b13d5daf461353

    • SHA256

      7ab995509fe427c2646b10be0715c40138ef4da7da41101452c66cf42e081c7d

    • SHA512

      ae8aa5a1a644c34c72ecc18fc18d2e8476386f1737183e794b8e1b16516d1a1ea1133ae41c40b7ba04e5ecf4c4c0011b5e571425c1c6bb6ca9e6125960f550d6

    • SSDEEP

      12288:Dw8JnZwcBM92krSXo64JkiLVotV4cLcvTTXxco3zSKa:5JlxkrCrWyt

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks