General

  • Target

    3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283.zip

  • Size

    264KB

  • Sample

    240328-ep8tlsea91

  • MD5

    ce7dc9a4a7e2542a7b3c53ff2721c182

  • SHA1

    6855f4213dbb2b74e80ea4c299b2d94c7166590d

  • SHA256

    60c69e3878cb29f0fab45f01c3b806cb7d046929c708a86ddfdba9598269ae5f

  • SHA512

    a71b1925fac29a0fd264a671e0fbddc094303d3573cb2c1d45e0f57040398f47ee0123a2ae83c9c5e9ae58e773db8199d81f9e50a527668b19efcfb2a60f278a

  • SSDEEP

    6144:lxt3+2ZJS+oNOa3kjPTw/jIZx45JwrFUAP+l6aO47gx5YP8mu9oiW:lxtGHka3kHwtJwrOJ7gx5YNmPW

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c13/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283.xls

    • Size

      317KB

    • MD5

      3a676a14c0aa582a465032b971ca23f5

    • SHA1

      04b12227d6b22ed562005d126cd7e3366c4fe966

    • SHA256

      3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283

    • SHA512

      f4e2e080f2c6b73aad8f8a487e65a5aed1cee9fa77e9e82f1e0538c978c2f150e10b2ac93e96d65857a7380acd94e16178c82bedb65c415b247f01580e49ae05

    • SSDEEP

      6144:VPunhX2jaLY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVlLMIU6FDCmg9bhQ87:VqhX2ja23bVlLMILKbhQ4z3SJKgJeB/b

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks