Overview

overview

10

Static

static

3

3b0af3f514...e0.exe

windows7-x64

10

3b0af3f514...e0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dc17496f619e7a6c9b6fc7392fc8448434bb6b43ecf25431e997be9e7f75fd06

  • Size

    489KB

  • Sample

    240601-hpz39aea52

  • MD5

    7157a0510a65b0692d3b2c0b03dfeeb4

  • SHA1

    b91169e5874927f480fb9411b8aa974d5a526f55

  • SHA256

    dc17496f619e7a6c9b6fc7392fc8448434bb6b43ecf25431e997be9e7f75fd06

  • SHA512

    6988a0ae4ed00307be10ad3b3a2f7b2f92d712d23ba347ed3133d0f70b82a020f28ec02332b2228d8eba479b34d834b9a4a9d48f83aead27d468ade7f3ee3d9c

  • SSDEEP

    6144:yfR9iw9I/WrZTQ8qvl9ac2zU+bw1i/yoS1jsW79N/ni+bFmBq5AM/WSiVjzCBaJb:yfR6er1WavJk1i/FSxDnNBgeWBCm

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      3b0af3f5146f9d1461b10e6535dc47bea08ae7f8f728542aaba25e5cc8d914e0.exe

    • Size

      537KB

    • MD5

      67eb26d7f0aaa1e001828b5d2bfae149

    • SHA1

      364524ec9b431c4bb82f7e2c31480275c82133d8

    • SHA256

      3b0af3f5146f9d1461b10e6535dc47bea08ae7f8f728542aaba25e5cc8d914e0

    • SHA512

      58edb5e7d57603f9f653a8ccc4e4e65aa62f207aaab59a4d87caabe30f3f927e80f6d2954744180a84ea3bed2c5870892e342193d30d90f694260432eb9c3e96

    • SSDEEP

      12288:HbBPJwKcI5JG/d4m5wg3SRV1RUHsuVK+BEL1D1X5OlK0QK0mV91H:7BhcsGV4YSRV7fuVKdbOl+Kx3

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks