General
-
Target
bf69d7e6dc53d7406f9ca42a77aab58d4fab67d8c0778f71efc77a9fb653e4c9.exe
-
Size
835KB
-
Sample
240515-b8b27sbh34
-
MD5
ec6570ba3ecd5ce8ec00e775eebe3872
-
SHA1
e449ffc0d43aad5dea985ddb2ae506a28e548f88
-
SHA256
bf69d7e6dc53d7406f9ca42a77aab58d4fab67d8c0778f71efc77a9fb653e4c9
-
SHA512
9cefd277e30b232bc661826cf0361d8b0f028378002112b114123ad92317cc610425add500a6858367de7aa60599092d9641eb0af1b58fd16850a970fd6001f8
-
SSDEEP
12288:Ftzd+m39dkAf5YSyBThO6QEJ7KJajLYDcks2qIUtd88ZAFfhAR/e4Fkf:FthkszyqFYKqYHMIN8iFZARG4U
Malware Config
Extracted
lokibot
https://franccoisfreres.com/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
bf69d7e6dc53d7406f9ca42a77aab58d4fab67d8c0778f71efc77a9fb653e4c9.exe
-
Size
835KB
-
MD5
ec6570ba3ecd5ce8ec00e775eebe3872
-
SHA1
e449ffc0d43aad5dea985ddb2ae506a28e548f88
-
SHA256
bf69d7e6dc53d7406f9ca42a77aab58d4fab67d8c0778f71efc77a9fb653e4c9
-
SHA512
9cefd277e30b232bc661826cf0361d8b0f028378002112b114123ad92317cc610425add500a6858367de7aa60599092d9641eb0af1b58fd16850a970fd6001f8
-
SSDEEP
12288:Ftzd+m39dkAf5YSyBThO6QEJ7KJajLYDcks2qIUtd88ZAFfhAR/e4Fkf:FthkszyqFYKqYHMIN8iFZARG4U
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
UAC bypass
-
Windows security bypass
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables packed with or use KoiVM
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-