Overview

overview

10

Static

static

3

12aee4a37e...b8.exe

windows7-x64

10

12aee4a37e...b8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12aee4a37e5f760d7d3956b9c3971c178a12306c5f4f3e2a13ae713c4b6e2bb8.exe

  • Size

    550KB

  • Sample

    240601-be1tgach32

  • MD5

    50c156d997a7a290e551affe4dbb1eea

  • SHA1

    ee069fb353c98a855474e7b8a201b34420712df8

  • SHA256

    12aee4a37e5f760d7d3956b9c3971c178a12306c5f4f3e2a13ae713c4b6e2bb8

  • SHA512

    8b3e5b73e80b10653859c57cb4333ba71869202b9ff00d58f240b97c47c71248223b5cf64fd8fb10ea3287d9bbef2b40138bc554ce05a8c232eae306645c8ef6

  • SSDEEP

    12288:VEPOMZQv5BW/XL5NNGyn5r3rqLrENhjVEJd4El0ffQewe:rmQRBCtNzd76oNhhEJdhl0nX

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      12aee4a37e5f760d7d3956b9c3971c178a12306c5f4f3e2a13ae713c4b6e2bb8.exe

    • Size

      550KB

    • MD5

      50c156d997a7a290e551affe4dbb1eea

    • SHA1

      ee069fb353c98a855474e7b8a201b34420712df8

    • SHA256

      12aee4a37e5f760d7d3956b9c3971c178a12306c5f4f3e2a13ae713c4b6e2bb8

    • SHA512

      8b3e5b73e80b10653859c57cb4333ba71869202b9ff00d58f240b97c47c71248223b5cf64fd8fb10ea3287d9bbef2b40138bc554ce05a8c232eae306645c8ef6

    • SSDEEP

      12288:VEPOMZQv5BW/XL5NNGyn5r3rqLrENhjVEJd4El0ffQewe:rmQRBCtNzd76oNhhEJdhl0nX

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks