General

  • Target

    d405284f75cde4b8c45e3d5c3b41c7bbd6db2c75788cb6d0b1deec5ea60559a4.exe

  • Size

    541KB

  • Sample

    240418-cfbfmsgb72

  • MD5

    8864b52d242037414b7c4a230c390ab8

  • SHA1

    47680d0f0d286097f7cdda37947aaaacd7226ee3

  • SHA256

    d405284f75cde4b8c45e3d5c3b41c7bbd6db2c75788cb6d0b1deec5ea60559a4

  • SHA512

    1cc6124f479dee45a46ada9416e90642365f316b055e2dbb73cc34b0276449fabf1b7929e5a76c133829feca47669445cbce2b876430d5d77902c2034b64b59d

  • SSDEEP

    12288:/AogULNdQcE6lIi6TckYyD1WoO3wjcuuC4KU3f3uWbF:JgadQ1iYcSWNwjHuC4KU3f3uWbF

Malware Config

Extracted

Family

lokibot

C2

http://136.244.109.75/index.php/1748937

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      d405284f75cde4b8c45e3d5c3b41c7bbd6db2c75788cb6d0b1deec5ea60559a4.exe

    • Size

      541KB

    • MD5

      8864b52d242037414b7c4a230c390ab8

    • SHA1

      47680d0f0d286097f7cdda37947aaaacd7226ee3

    • SHA256

      d405284f75cde4b8c45e3d5c3b41c7bbd6db2c75788cb6d0b1deec5ea60559a4

    • SHA512

      1cc6124f479dee45a46ada9416e90642365f316b055e2dbb73cc34b0276449fabf1b7929e5a76c133829feca47669445cbce2b876430d5d77902c2034b64b59d

    • SSDEEP

      12288:/AogULNdQcE6lIi6TckYyD1WoO3wjcuuC4KU3f3uWbF:JgadQ1iYcSWNwjHuC4KU3f3uWbF

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with SmartAssembly

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks