General

  • Target

    1e032e0691cf6bf5bbd933dec82bcd276a47c7d588a490f073c031a3a94a9a1b.exe

  • Size

    583KB

  • Sample

    240521-rjcv7sgg22

  • MD5

    b0a005520aef03472ef93def5a901c87

  • SHA1

    7d148ca6049459a4d61c6f89e64f7c2100ee7487

  • SHA256

    1e032e0691cf6bf5bbd933dec82bcd276a47c7d588a490f073c031a3a94a9a1b

  • SHA512

    ed59ce83b0e7815cd200ddfa4d97d2ec8f6f1ce582f69bfa4b181bcdb416be5966e2016cf1b6ff0b5860754656c55871a0b63905e4c761ec214d9e29f26c27d4

  • SSDEEP

    12288:TWET/mr9KRc5p8IIl+22kPkhxp0ckAKcX3nCJK+gkR:TWtrr8IIJtkhH07AKcX3nCX

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/index?id=671120760852658

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      1e032e0691cf6bf5bbd933dec82bcd276a47c7d588a490f073c031a3a94a9a1b.exe

    • Size

      583KB

    • MD5

      b0a005520aef03472ef93def5a901c87

    • SHA1

      7d148ca6049459a4d61c6f89e64f7c2100ee7487

    • SHA256

      1e032e0691cf6bf5bbd933dec82bcd276a47c7d588a490f073c031a3a94a9a1b

    • SHA512

      ed59ce83b0e7815cd200ddfa4d97d2ec8f6f1ce582f69bfa4b181bcdb416be5966e2016cf1b6ff0b5860754656c55871a0b63905e4c761ec214d9e29f26c27d4

    • SSDEEP

      12288:TWET/mr9KRc5p8IIl+22kPkhxp0ckAKcX3nCJK+gkR:TWtrr8IIJtkhH07AKcX3nCX

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks