General
-
Target
4f28d09d883b746ee2ea52b8e86881ee6f11057fc976c7b085c44092b7fae87a.exe
-
Size
539KB
-
Sample
240523-bvw58agg67
-
MD5
abc704a143b0aea77687bb203b6de9df
-
SHA1
4d159f96fcb7b896e723aeceeccfa2c9aaf7edd8
-
SHA256
4f28d09d883b746ee2ea52b8e86881ee6f11057fc976c7b085c44092b7fae87a
-
SHA512
164455bf0d0d2402876331fe193c7508f1799b5d8ed3032eae0c8e4f6da039a8a9de01fa0339cc0bf98b4cba2eb72fd7880d4e0c4280bf0c6bae0707b893d6af
-
SSDEEP
12288:Z1vxBqngeoB/0yO0yFTHP7l88LJxtwXDE3V5hA1U5KXb2YkR:j5Bqngeo0ywNv3LRqDoVA1U5Ky
Malware Config
Extracted
lokibot
http://193.238.153.15/evie1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
4f28d09d883b746ee2ea52b8e86881ee6f11057fc976c7b085c44092b7fae87a.exe
-
Size
539KB
-
MD5
abc704a143b0aea77687bb203b6de9df
-
SHA1
4d159f96fcb7b896e723aeceeccfa2c9aaf7edd8
-
SHA256
4f28d09d883b746ee2ea52b8e86881ee6f11057fc976c7b085c44092b7fae87a
-
SHA512
164455bf0d0d2402876331fe193c7508f1799b5d8ed3032eae0c8e4f6da039a8a9de01fa0339cc0bf98b4cba2eb72fd7880d4e0c4280bf0c6bae0707b893d6af
-
SSDEEP
12288:Z1vxBqngeoB/0yO0yFTHP7l88LJxtwXDE3V5hA1U5KXb2YkR:j5Bqngeo0ywNv3LRqDoVA1U5Ky
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-