General

  • Target

    a17eeeebd01e2b2756e481339a001b068a4bf04f6b2e7626b39b1e77063507d7.exe

  • Size

    596KB

  • Sample

    240524-bzglbsgd9y

  • MD5

    63c2c72a019bee6e49b658934f909336

  • SHA1

    2c95922ec392ee67ec941b7e033c055cbf0b9492

  • SHA256

    a17eeeebd01e2b2756e481339a001b068a4bf04f6b2e7626b39b1e77063507d7

  • SHA512

    372c7c7ae5037d072589bba780cdf682bbd6590a26fd3093871162f837e583df16c15438787bfcf8da1ec6c18ee00adf4179797e11ecc47eccb69f3f9bd66846

  • SSDEEP

    12288:KHwEV0vgLt3ZzZqZsENsXTUPYO0zqn4MHRifuoX0pWA0aJLZM/PxItBhIc+A:QwEpzseENa2YN+n1opiWiuPxqIc+A

Malware Config

Extracted

Family

lokibot

C2

http://sssteell-com.asia/sht/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a17eeeebd01e2b2756e481339a001b068a4bf04f6b2e7626b39b1e77063507d7.exe

    • Size

      596KB

    • MD5

      63c2c72a019bee6e49b658934f909336

    • SHA1

      2c95922ec392ee67ec941b7e033c055cbf0b9492

    • SHA256

      a17eeeebd01e2b2756e481339a001b068a4bf04f6b2e7626b39b1e77063507d7

    • SHA512

      372c7c7ae5037d072589bba780cdf682bbd6590a26fd3093871162f837e583df16c15438787bfcf8da1ec6c18ee00adf4179797e11ecc47eccb69f3f9bd66846

    • SSDEEP

      12288:KHwEV0vgLt3ZzZqZsENsXTUPYO0zqn4MHRifuoX0pWA0aJLZM/PxItBhIc+A:QwEpzseENa2YN+n1opiWiuPxqIc+A

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • UAC bypass

    • Windows security bypass

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with or use KoiVM

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Collection

Email Collection

1
T1114

Tasks