General
-
Target
BBQ.html
-
Size
21KB
-
Sample
240516-ltgz1seg8v
-
MD5
10b8faa7c6df2ea9cd4845ca2bcb7252
-
SHA1
4462a99a4f41ab622e2ea0c161a8dd79f73eacf7
-
SHA256
3f76c7416a51ba3f2bd3fc67e87b9a29dc833943b444170cbfe2687f0c6b165b
-
SHA512
16528e1ba46890192a90f0e3600a6aefe0329dee4496acbedba587a66994dc8d09c7cf8ee91dd218b95016dae9fe680ab7ea52283ea62a518b6cc15d39f9b5df
-
SSDEEP
384:bbg5xWgrGaXdQ+vTMCpgexi1WFDmwtygLXT8OZru12ttkDo5gM0rxMjfSSVsBEK7:bbg5xWgrdtQ+vTMCpgaiAFDmwt3DAOZ+
Malware Config
Extracted
lokibot
http://spencerstuartllc.top/evie2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
BBQ.html
-
Size
21KB
-
MD5
10b8faa7c6df2ea9cd4845ca2bcb7252
-
SHA1
4462a99a4f41ab622e2ea0c161a8dd79f73eacf7
-
SHA256
3f76c7416a51ba3f2bd3fc67e87b9a29dc833943b444170cbfe2687f0c6b165b
-
SHA512
16528e1ba46890192a90f0e3600a6aefe0329dee4496acbedba587a66994dc8d09c7cf8ee91dd218b95016dae9fe680ab7ea52283ea62a518b6cc15d39f9b5df
-
SSDEEP
384:bbg5xWgrGaXdQ+vTMCpgexi1WFDmwtygLXT8OZru12ttkDo5gM0rxMjfSSVsBEK7:bbg5xWgrdtQ+vTMCpgaiAFDmwt3DAOZ+
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-