General

  • Target

    e1af09d38e802edf8052a97e2e7a66e6420dbe4a33e1984090d41885211250be.exe

  • Size

    973KB

  • Sample

    240523-clme4aaa3x

  • MD5

    e3bf0f83e5924c6dd863c7875598c96e

  • SHA1

    3844bf4a91b809b5af49e48ff76d9487f2a4efe5

  • SHA256

    e1af09d38e802edf8052a97e2e7a66e6420dbe4a33e1984090d41885211250be

  • SHA512

    980b688078d151814637d188f6bab6e255504698b91c8535a525505a31e6ae372a183f08e598f5578812bd8f88b2f50df9aa3b9faf680edb39c0058c77dd6708

  • SSDEEP

    24576:sAHnh+eWsN3skA4RV1Hom2KXMmHaDBjOdgAHq6B5:Lh+ZkldoPK8YaDagAv

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d5/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      e1af09d38e802edf8052a97e2e7a66e6420dbe4a33e1984090d41885211250be.exe

    • Size

      973KB

    • MD5

      e3bf0f83e5924c6dd863c7875598c96e

    • SHA1

      3844bf4a91b809b5af49e48ff76d9487f2a4efe5

    • SHA256

      e1af09d38e802edf8052a97e2e7a66e6420dbe4a33e1984090d41885211250be

    • SHA512

      980b688078d151814637d188f6bab6e255504698b91c8535a525505a31e6ae372a183f08e598f5578812bd8f88b2f50df9aa3b9faf680edb39c0058c77dd6708

    • SSDEEP

      24576:sAHnh+eWsN3skA4RV1Hom2KXMmHaDBjOdgAHq6B5:Lh+ZkldoPK8YaDagAv

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks