General

  • Target

    43edf7af78a3ed2272221db663c1afd3e24b61cf10e727fd136c658f70abc633

  • Size

    284KB

  • Sample

    240331-lsztfaac96

  • MD5

    7a060a1e3aa99e966da96c0ce81195ce

  • SHA1

    3ec0bb93c351b54de88440235cefe737fc315580

  • SHA256

    43edf7af78a3ed2272221db663c1afd3e24b61cf10e727fd136c658f70abc633

  • SHA512

    7d01fede33dc48585ebf369a45d0847ffada83b3cc8b6392ebc58c291b91988563f96934e7d885e6421cc91be5784eb03c80972ae5680b2890461f0c17cb7c54

  • SSDEEP

    6144:rGiXGcdl1BHuLzpvGTbeGn1CG6uiOvpwQgaoA32l7JXFzXQDNKOgJM:TtdlfuPpenHCmDgR023eQJM

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=5803588

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      43edf7af78a3ed2272221db663c1afd3e24b61cf10e727fd136c658f70abc633

    • Size

      284KB

    • MD5

      7a060a1e3aa99e966da96c0ce81195ce

    • SHA1

      3ec0bb93c351b54de88440235cefe737fc315580

    • SHA256

      43edf7af78a3ed2272221db663c1afd3e24b61cf10e727fd136c658f70abc633

    • SHA512

      7d01fede33dc48585ebf369a45d0847ffada83b3cc8b6392ebc58c291b91988563f96934e7d885e6421cc91be5784eb03c80972ae5680b2890461f0c17cb7c54

    • SSDEEP

      6144:rGiXGcdl1BHuLzpvGTbeGn1CG6uiOvpwQgaoA32l7JXFzXQDNKOgJM:TtdlfuPpenHCmDgR023eQJM

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/itbd.dll

    • Size

      88KB

    • MD5

      139dbcbeeaaf2d5a55c634208a0efa34

    • SHA1

      515576bdd64f07f007843ead1197ac34a4d65243

    • SHA256

      872e5aa466a8fc417fbf49fef4aaeb3ce941200a62794fd7b8f1cdbb8cdddcc0

    • SHA512

      15e202ca78c87253f39505304ecae935e808b731281bcbc84d476fe711918a16557086a9b6951427d4f4e5ab995ce9d572f5ba07c325dc7753ec01092d6cef2d

    • SSDEEP

      1536:W1h8Lsu0K4ZjTTm4qTfYS375Q+kZT8ywzViIkzSzRrsWjcdKkzo6KAUSnWgVpXP:Wr8MKkGDTDVZnkzSzRUKkzo6KSNZP

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks