General

  • Target

    5d898832ef4c190d301d67b8f2534213a65633426edbff513b28cbd09df235b3.exe

  • Size

    990KB

  • Sample

    240502-bwxhdafc78

  • MD5

    c45be3cda7b3a08691d1b0ec9b2f9d9d

  • SHA1

    68c3fae9d29936c326c5ad88b3b7091af3f8f450

  • SHA256

    5d898832ef4c190d301d67b8f2534213a65633426edbff513b28cbd09df235b3

  • SHA512

    d58e35e5487c34d80ea53b9db642137831f412d51dfb772d39d5324940d5216730feaf6f1203fafb6f17b6fca153739a6c987cd2437a8519e43e32ff7b07b0d5

  • SSDEEP

    12288:bjU00pFjzc/AKn4lvHMYLX5kcqoaw297Vinu3neuNtG9ipyjSRIPMbP:z0s3ncLkBo297gu3euveszbP

Malware Config

Extracted

Family

lokibot

C2

http://ebnsina.top/evie1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      5d898832ef4c190d301d67b8f2534213a65633426edbff513b28cbd09df235b3.exe

    • Size

      990KB

    • MD5

      c45be3cda7b3a08691d1b0ec9b2f9d9d

    • SHA1

      68c3fae9d29936c326c5ad88b3b7091af3f8f450

    • SHA256

      5d898832ef4c190d301d67b8f2534213a65633426edbff513b28cbd09df235b3

    • SHA512

      d58e35e5487c34d80ea53b9db642137831f412d51dfb772d39d5324940d5216730feaf6f1203fafb6f17b6fca153739a6c987cd2437a8519e43e32ff7b07b0d5

    • SSDEEP

      12288:bjU00pFjzc/AKn4lvHMYLX5kcqoaw297Vinu3neuNtG9ipyjSRIPMbP:z0s3ncLkBo297gu3euveszbP

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks