General

  • Target

    RFQ#678903403.exe

  • Size

    572KB

  • Sample

    240516-dsf3bshh2t

  • MD5

    995ab432c90e16c1bb7b134ebef8112b

  • SHA1

    aef4e550b58314067b09969ff59d6ff2d305ba6f

  • SHA256

    7a22ca639bbbf6ba2411a43fc17a2edd29c92f34f62349c978382c19eed0fbf9

  • SHA512

    eb12fbe098e13d29b2e70d09a10e741b9231ef6fc74dae4743efac05a76d0edb0390145119e8433b9a665e0368c243cba3ee253cfc24d79ae71698dfe0cf41cb

  • SSDEEP

    12288:E0pei36RPoBCLCPV2jffqgcjSe3XIl9y8myWzh6DkR:npp36loPPU7C+e3XonQzF

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/t?id=090

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      RFQ#678903403.exe

    • Size

      572KB

    • MD5

      995ab432c90e16c1bb7b134ebef8112b

    • SHA1

      aef4e550b58314067b09969ff59d6ff2d305ba6f

    • SHA256

      7a22ca639bbbf6ba2411a43fc17a2edd29c92f34f62349c978382c19eed0fbf9

    • SHA512

      eb12fbe098e13d29b2e70d09a10e741b9231ef6fc74dae4743efac05a76d0edb0390145119e8433b9a665e0368c243cba3ee253cfc24d79ae71698dfe0cf41cb

    • SSDEEP

      12288:E0pei36RPoBCLCPV2jffqgcjSe3XIl9y8myWzh6DkR:npp36loPPU7C+e3XonQzF

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks