General

  • Target

    rpayment_slip.pdf.exe

  • Size

    566KB

  • Sample

    240325-lfw7safa8w

  • MD5

    0aa08a1de128f754244a41caad13b855

  • SHA1

    d757260a3e82337339e45a596e7f879df42776e7

  • SHA256

    bbc7fdaebde9c78601c1965f662082874bae5e023f85701316f930266b0482c6

  • SHA512

    555951f159cd139d0d7d8f8ea1f36faed3d82e1c96833198450355bd620c63a3a1c0b55d8cd3a33b4c37678bbba31819562c3743be9dd73fc509e52cb62273df

  • SSDEEP

    12288:Zp4CMwaRzpgQF9z72qYps2bgBiFhNTetpAAI2xv2nA:izFFo4ALNyt9jxO

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c6/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      rpayment_slip.pdf.exe

    • Size

      566KB

    • MD5

      0aa08a1de128f754244a41caad13b855

    • SHA1

      d757260a3e82337339e45a596e7f879df42776e7

    • SHA256

      bbc7fdaebde9c78601c1965f662082874bae5e023f85701316f930266b0482c6

    • SHA512

      555951f159cd139d0d7d8f8ea1f36faed3d82e1c96833198450355bd620c63a3a1c0b55d8cd3a33b4c37678bbba31819562c3743be9dd73fc509e52cb62273df

    • SSDEEP

      12288:Zp4CMwaRzpgQF9z72qYps2bgBiFhNTetpAAI2xv2nA:izFFo4ALNyt9jxO

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks