General

  • Target

    3c9f8c2884eb47b52f0c09d9222ee971a55a9d68cb39f92bfa9d4db645965bca.rar

  • Size

    529KB

  • Sample

    240522-vgtmqahg46

  • MD5

    70c781608fef254f335b8d7846b910af

  • SHA1

    649207c5453ab05127f232da543e34bf30376b22

  • SHA256

    3c9f8c2884eb47b52f0c09d9222ee971a55a9d68cb39f92bfa9d4db645965bca

  • SHA512

    88b2f4c013432e51083ca77ece3da3bc1de4ad046b2d005e7aeb09ff3dcdfd14489fce92bb4588aea9e5299538c1ca2e3ad5fdbfc97a428c4eee0c30b6ba9498

  • SSDEEP

    12288:eu3SEKEKh+iYWUuooJzglsOnv85YdNhVSFpDFkLTIA3G:zSELKQdWUNoJzysOnLfn4FFIO

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/t?id=090

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      FedEx Receipt_AWB# 102235506763.exe

    • Size

      583KB

    • MD5

      2a8b4be893e8e3d091d47dbd1491d80e

    • SHA1

      31e302c707d6cf8f7d949f54f26955b9ff6aa17f

    • SHA256

      a26e16d509a27265de9e3cf3cd5bc96d5e13b2ce1709d54d82ac8885823b35ae

    • SHA512

      ebaa3dc379c69f40ef1fa627c6c9c65c397338cca96b0da56b560f377bfbce58cf10ce9c6fc22d8f0ed6599efedbd72e4fea4d5757b834377763d12d9bc104b4

    • SSDEEP

      12288:0DWET/mr9Ke8BcDgbNHib+2Sd+GiBrUIonw6kR:0DWteB8qFO+28p4

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks