General

  • Target

    yUmGoxo1yynhz6W.exe

  • Size

    537KB

  • Sample

    240530-rg86mabc2v

  • MD5

    67eb26d7f0aaa1e001828b5d2bfae149

  • SHA1

    364524ec9b431c4bb82f7e2c31480275c82133d8

  • SHA256

    3b0af3f5146f9d1461b10e6535dc47bea08ae7f8f728542aaba25e5cc8d914e0

  • SHA512

    58edb5e7d57603f9f653a8ccc4e4e65aa62f207aaab59a4d87caabe30f3f927e80f6d2954744180a84ea3bed2c5870892e342193d30d90f694260432eb9c3e96

  • SSDEEP

    12288:HbBPJwKcI5JG/d4m5wg3SRV1RUHsuVK+BEL1D1X5OlK0QK0mV91H:7BhcsGV4YSRV7fuVKdbOl+Kx3

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      yUmGoxo1yynhz6W.exe

    • Size

      537KB

    • MD5

      67eb26d7f0aaa1e001828b5d2bfae149

    • SHA1

      364524ec9b431c4bb82f7e2c31480275c82133d8

    • SHA256

      3b0af3f5146f9d1461b10e6535dc47bea08ae7f8f728542aaba25e5cc8d914e0

    • SHA512

      58edb5e7d57603f9f653a8ccc4e4e65aa62f207aaab59a4d87caabe30f3f927e80f6d2954744180a84ea3bed2c5870892e342193d30d90f694260432eb9c3e96

    • SSDEEP

      12288:HbBPJwKcI5JG/d4m5wg3SRV1RUHsuVK+BEL1D1X5OlK0QK0mV91H:7BhcsGV4YSRV7fuVKdbOl+Kx3

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks