General

  • Target

    43c9d2ce7dd27609316480a0995af447903a6c9bf6dd64e4ff2ae666062076ba.exe

  • Size

    617KB

  • Sample

    240416-bhpwdafc31

  • MD5

    7366fe55f804decd140f2f09dd2b8e9e

  • SHA1

    dfcc22167c3ad24d1def8f2c19dce63643d40113

  • SHA256

    43c9d2ce7dd27609316480a0995af447903a6c9bf6dd64e4ff2ae666062076ba

  • SHA512

    38836a6fd931965abc6546f986287b308358c56f0deee709aa15a28e93c535d48e9a2ca42d3dbd1782bd8f07fb439c6b6698025cd7139147bf317f88689cbbd6

  • SSDEEP

    12288:BHMNBhncmaAXrCIlve2pjkDO6uBZwlIs5bhq7ckR:lMNdrCGeCgvuBKGs5b4v

Malware Config

Extracted

Family

lokibot

C2

http://24.199.107.111/index.php/720637

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      43c9d2ce7dd27609316480a0995af447903a6c9bf6dd64e4ff2ae666062076ba.exe

    • Size

      617KB

    • MD5

      7366fe55f804decd140f2f09dd2b8e9e

    • SHA1

      dfcc22167c3ad24d1def8f2c19dce63643d40113

    • SHA256

      43c9d2ce7dd27609316480a0995af447903a6c9bf6dd64e4ff2ae666062076ba

    • SHA512

      38836a6fd931965abc6546f986287b308358c56f0deee709aa15a28e93c535d48e9a2ca42d3dbd1782bd8f07fb439c6b6698025cd7139147bf317f88689cbbd6

    • SSDEEP

      12288:BHMNBhncmaAXrCIlve2pjkDO6uBZwlIs5bhq7ckR:lMNdrCGeCgvuBKGs5b4v

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with SmartAssembly

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks