General

  • Target

    Maersk_SVRhXM4JeryzaVE.exe

  • Size

    584KB

  • Sample

    240606-jbs88acc44

  • MD5

    df3163b64cb2001df0d95727cd777b21

  • SHA1

    6e9a749fd099ba82f6b2b8eeac94933f40449438

  • SHA256

    f06d778eb278b9611ef39826907f9e083fb392e90fb313a9549d3b67971b1ae8

  • SHA512

    d306038a5c29a375457c4d90d4e7bd4b515343d405b689efb6bacbf9f296c11047b7cdb09d5eefbdf377d682a86f19231b3debfa8ce124de9f602b7b4981b53a

  • SSDEEP

    12288:3gsoqKfiqyJMlJNitoo7niiZfWddWZd2juo5CoL:cN5OS8yfiZA6cL

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Maersk_SVRhXM4JeryzaVE.exe

    • Size

      584KB

    • MD5

      df3163b64cb2001df0d95727cd777b21

    • SHA1

      6e9a749fd099ba82f6b2b8eeac94933f40449438

    • SHA256

      f06d778eb278b9611ef39826907f9e083fb392e90fb313a9549d3b67971b1ae8

    • SHA512

      d306038a5c29a375457c4d90d4e7bd4b515343d405b689efb6bacbf9f296c11047b7cdb09d5eefbdf377d682a86f19231b3debfa8ce124de9f602b7b4981b53a

    • SSDEEP

      12288:3gsoqKfiqyJMlJNitoo7niiZfWddWZd2juo5CoL:cN5OS8yfiZA6cL

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.