Overview

overview

10

Static

static

3

3791b65b31...68.exe

windows7-x64

10

3791b65b31...68.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b3086c51dd81a401a5e93c56df7376834000db5e0ed07f95e320202a3d4b54ca

  • Size

    617KB

  • Sample

    240417-rf9qrsbb75

  • MD5

    9a760d7ad77806cd3a0a75c86a3afa03

  • SHA1

    4791aae3adb8b68579657adc524c99b88682cb86

  • SHA256

    b3086c51dd81a401a5e93c56df7376834000db5e0ed07f95e320202a3d4b54ca

  • SHA512

    08974f3b37172607d9b5e391f5dfa0a0e860f57ca208464fee0bbc1a2eb639ccad546fbb3164ac3ef73046c70f677ed65141f2e42acf94d5e68014cf68913e63

  • SSDEEP

    12288:H9dfOCrcNQlcs9GVe/fg53/TG4lrERFPNoeQHr/ix1OfjbuOAWU2Tml:H9dfRBys9PAS4IUeKix143Ad2+

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://91.92.252.146:4002/kioy/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268.exe

    • Size

      735KB

    • MD5

      7733da960ee126b39752a737301c0f86

    • SHA1

      414d654545da349c21e58f0ae28021fe48a6f02b

    • SHA256

      3791b65b31a3b12f458e042509119c60c2b3abd4f40f4da81f7404b6fb7db268

    • SHA512

      9b9f4c0e926e76950a781713667cd4dfa34002a3340b99877730e7db67ea2a0dc7245518a1a943c388abc5dcd489737a1a88873c12deb028f788c8a3cd94d9d6

    • SSDEEP

      12288:NcrNS33L10QdrXjKDnuFeDnnHgnS61NNyz3Pbpv08kMZYS:wNA3R5drXGDuFmASO7y10gZYS

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks