General

  • Target

    795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357.exe

  • Size

    512KB

  • Sample

    240530-bn5h1shb9y

  • MD5

    cff39149d540e851536383f64d5f5568

  • SHA1

    2cd49c6f28ecea254e22a75e3e77092a67d26774

  • SHA256

    795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357

  • SHA512

    0f3eb77eb9396ec5ec63fc166e12167bf651e433b5c7831935ed2c965eed85b94b9893e6d20d207473f126b273f60c4b6378859b85613cc630acd7c7b70a6ba6

  • SSDEEP

    12288:UidJS4V9ulMb8Z6j2B0TM4kQhrLO9rAq7BH7Q4a2Y4tS87W:5ScN4ZsvTM4DhXfIBUa17W

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

    • Target

      795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357.exe

    • Size

      512KB

    • MD5

      cff39149d540e851536383f64d5f5568

    • SHA1

      2cd49c6f28ecea254e22a75e3e77092a67d26774

    • SHA256

      795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357

    • SHA512

      0f3eb77eb9396ec5ec63fc166e12167bf651e433b5c7831935ed2c965eed85b94b9893e6d20d207473f126b273f60c4b6378859b85613cc630acd7c7b70a6ba6

    • SSDEEP

      12288:UidJS4V9ulMb8Z6j2B0TM4kQhrLO9rAq7BH7Q4a2Y4tS87W:5ScN4ZsvTM4DhXfIBUa17W

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.