Overview

overview

10

Static

static

3

61d2d93c84...85.exe

windows7-x64

10

61d2d93c84...85.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    86994d3f5bfd356c14040ffc3226e7d01dbf5fb77f7e982126d67263e76b566e

  • Size

    472KB

  • Sample

    240417-qpkmkahd49

  • MD5

    3755acf926afc8b6a14319951054b65b

  • SHA1

    4828f78187b99e1da61817d14c7c92bc7162888b

  • SHA256

    86994d3f5bfd356c14040ffc3226e7d01dbf5fb77f7e982126d67263e76b566e

  • SHA512

    384a57598a67387a8be96c42c560ddf36cad883e346a1af88cd5fafc734a3e72cd0f2906ef4498dbee5a235dbc8ba0bf8c7c5fa537a2a74352533e03c8d4be56

  • SSDEEP

    12288:AZrIhJz5YI+AKw8JC5MrmRTw/jf7PBfJXX1uMkQafahBo/Yy:AZEmJC6KRc/JJl37afaDA

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      61d2d93c84dfd913dbb976c21fdd3d87dd3100e9035e4dd04b3c5f4c3c705085.exe

    • Size

      495KB

    • MD5

      4e6d5263bd97cca12e0b97d89d835d88

    • SHA1

      a17e6d89373f2955aa3c9b0f8f362f1c0605abd8

    • SHA256

      61d2d93c84dfd913dbb976c21fdd3d87dd3100e9035e4dd04b3c5f4c3c705085

    • SHA512

      69334afe3ab25369a4c2fce6926a38e293477283a91adb155fdaead9b24985e46e7befc33cabfdd0edef9d8458d679d40c6faca9adc44a439d2c77ee54a4fc19

    • SSDEEP

      12288:LBHwI2ZTWUqDcVedlD9ft8Ep4uAjt4SLD5wtbg9Q93:LBHwID4edxFt8849t4UDytH9

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks