Overview

overview

10

Static

static

3

3791b65b31...68.exe

windows7-x64

10

3791b65b31...68.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b4672b2216779a3b35febd3824fcb017d0a39ea9c488272fe80b50ea369e61d7

  • Size

    617KB

  • Sample

    240417-qzav4sbf5s

  • MD5

    9948cff0008d8e60895029aad8b43d90

  • SHA1

    785b8c30c28cc9f1fd93b365be3ddcf7da495dcc

  • SHA256

    b4672b2216779a3b35febd3824fcb017d0a39ea9c488272fe80b50ea369e61d7

  • SHA512

    dd6eb2aa96ef8348bfed3936e5d02a4148d6ec1d39a2d20c2ed9cad4d82c7b23cdeae307fc2bc0cae890fe5b86322890740d0bbf7c84659e935b2ccc75135a5a

  • SSDEEP

    12288:W57lFf6JXqFjhf7Dkt1MD1uY4wCN6bI0tGVj0lmvt+sETF2:W5lFiJaFtDU1q1EH+I0t6j0lmV+sETs

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://91.92.252.146:4002/kioy/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe

    • Size

      735KB

    • MD5

      7733da960ee126b39752a737301c0f86

    • SHA1

      414d654545da349c21e58f0ae28021fe48a6f02b

    • SHA256

      3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268

    • SHA512

      9b9f4c0e926e76950a781713667cd4dfa34002a3340b99877730e7db67ea2a0dc7245518a1a943c388abc5dcd489737a1a88873c12deb028f788c8a3cd94d9d6

    • SSDEEP

      12288:NcrNS33L10QdrXjKDnuFeDnnHgnS61NNyz3Pbpv08kMZYS:wNA3R5drXGDuFmASO7y10gZYS

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks