Overview

overview

10

Static

static

3

6968fe8fcb...1b.exe

windows7-x64

10

6968fe8fcb...1b.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    7e7cf728c28c04d181a53b7a1f1040ec.bin

  • Size

    509KB

  • Sample

    240608-dypawshb77

  • MD5

    8ed205417359c53438c759b78a26b401

  • SHA1

    5de1dfcd2dc0a6ee68ef22d8af99b57b354b7618

  • SHA256

    8d9a2459b2fbd53b107743b390b540424f54e5b9809b49887f00d66ea01179aa

  • SHA512

    7834b4bce782c188911d45f6a9dbe52779d0db9424027f40fc9d6e663850fd01357fd7a111dc31c61d1e52cf6b77654087904b19d331941fa4f427953808aee3

  • SSDEEP

    6144:HtLtlktnJnflMHvmPCKT2vYEvDlSasux155uGCEXPQnIujH+G8D0RZhEtJVTjf:HxwH2HuyvD5l7kWWII8D0RTWvTz

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      6968fe8fcbbb5e1b6577634abf33c41d1fec5feb5eba4146595520e636d3291b.exe

    • Size

      558KB

    • MD5

      7e7cf728c28c04d181a53b7a1f1040ec

    • SHA1

      adaaae1fc339becd50905220a5fd1b88b3b8baf0

    • SHA256

      6968fe8fcbbb5e1b6577634abf33c41d1fec5feb5eba4146595520e636d3291b

    • SHA512

      6140d4d28279b64914793a1fd3384c973c7177abd8b08b836c2a5dd850e91d41f7a23001e43245b69d1ae818920bef8a7043896f837ac29ad9b605eed711b0df

    • SSDEEP

      12288:EN3qyJMny4z8jJz/HHWWrcdINOct0I7ZzkUkdq1XyPicpTxgGRHaJ:s6OjI8JzvFr5N7t0KGqAPi0xPUJ

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks