General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
-
Sample
240528-lmxrwsfd62
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-