General

  • Target

    467d80ed674c45af3b474549d253e05d2478d52768c38fbd5ffae2eb820e12c4

  • Size

    935KB

  • Sample

    240330-xxws5adc82

  • MD5

    c1b59591ec250e271c4c30cf994e6ee1

  • SHA1

    009a456d4e6d9f3a1961bdbdab47afaed7427963

  • SHA256

    467d80ed674c45af3b474549d253e05d2478d52768c38fbd5ffae2eb820e12c4

  • SHA512

    d9b5b6757f7868b6427c3bc53183201d57fc93ba1f9a9e47611f5963be7aede8158663d91bd06c4c7cd429c55adf71933d36b8f3ddfaac9d370c3179c71fcac4

  • SSDEEP

    12288:Stb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaLp83TYDUqOP6A:Stb20pkaCqT5TBWgNQ7aL23TqOP6A

Malware Config

Extracted

Family

lokibot

C2

http://www.dobiamfollollc.online:3777/vogxhf/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      467d80ed674c45af3b474549d253e05d2478d52768c38fbd5ffae2eb820e12c4

    • Size

      935KB

    • MD5

      c1b59591ec250e271c4c30cf994e6ee1

    • SHA1

      009a456d4e6d9f3a1961bdbdab47afaed7427963

    • SHA256

      467d80ed674c45af3b474549d253e05d2478d52768c38fbd5ffae2eb820e12c4

    • SHA512

      d9b5b6757f7868b6427c3bc53183201d57fc93ba1f9a9e47611f5963be7aede8158663d91bd06c4c7cd429c55adf71933d36b8f3ddfaac9d370c3179c71fcac4

    • SSDEEP

      12288:Stb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaLp83TYDUqOP6A:Stb20pkaCqT5TBWgNQ7aL23TqOP6A

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks