General
-
Target
deb91032be610ab0761ed5e1076877458b9adbbbf79ae250672fc1c2f5fc8d0a.exe
-
Size
561KB
-
Sample
240426-b14r9aha88
-
MD5
34730f3da822589c3b36ec7197ede429
-
SHA1
666691e4d03bb9d885184e80d5ec5639ef56a886
-
SHA256
deb91032be610ab0761ed5e1076877458b9adbbbf79ae250672fc1c2f5fc8d0a
-
SHA512
5eba3f2ef8b28939fd81dff93ceffcd88635f99821ba67302b490644082e18389384fcf9dda98da5b93e5949f2d257274fee082c3e1ee4dede39e3486e37220a
-
SSDEEP
12288:EYIPXjVIGzJReCstSBtlhZPhYriyAkwTiaM5ykR:EYIPLtailrPhYuowTiD
Malware Config
Extracted
lokibot
http://45.77.223.48/~blog/?ajax=ee
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
deb91032be610ab0761ed5e1076877458b9adbbbf79ae250672fc1c2f5fc8d0a.exe
-
Size
561KB
-
MD5
34730f3da822589c3b36ec7197ede429
-
SHA1
666691e4d03bb9d885184e80d5ec5639ef56a886
-
SHA256
deb91032be610ab0761ed5e1076877458b9adbbbf79ae250672fc1c2f5fc8d0a
-
SHA512
5eba3f2ef8b28939fd81dff93ceffcd88635f99821ba67302b490644082e18389384fcf9dda98da5b93e5949f2d257274fee082c3e1ee4dede39e3486e37220a
-
SSDEEP
12288:EYIPXjVIGzJReCstSBtlhZPhYriyAkwTiaM5ykR:EYIPLtailrPhYuowTiD
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-