Overview

overview

10

Static

static

3

a013b7c79b...18.exe

windows7-x64

10

a013b7c79b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018.exe

  • Size

    743KB

  • Sample

    240613-bxwbpsyhre

  • MD5

    ac82a4aa50ad21a166029cedbcde551f

  • SHA1

    26eed14a90fd7f8992660d375f3b77342183b13a

  • SHA256

    a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018

  • SHA512

    887790abbeca7376e17e4ceb35a6ee4819398c788ab7fce2e7be2868793b379b8f97926f003e584e9240dc73485aa7b7519c2a6d4707bd27c0fb1aa9def01145

  • SSDEEP

    12288:hDfjMCvBwgSlhsAg1DI+VNJXZ+KJsVDoCOzJ9BZ83hMbcl+SDvXQKEmz:hDfggSlK71DIuZ+Cs2FwujSDvqm

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.136.239/index.php/9460648709801952970

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018.exe

    • Size

      743KB

    • MD5

      ac82a4aa50ad21a166029cedbcde551f

    • SHA1

      26eed14a90fd7f8992660d375f3b77342183b13a

    • SHA256

      a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018

    • SHA512

      887790abbeca7376e17e4ceb35a6ee4819398c788ab7fce2e7be2868793b379b8f97926f003e584e9240dc73485aa7b7519c2a6d4707bd27c0fb1aa9def01145

    • SSDEEP

      12288:hDfjMCvBwgSlhsAg1DI+VNJXZ+KJsVDoCOzJ9BZ83hMbcl+SDvXQKEmz:hDfggSlK71DIuZ+Cs2FwujSDvqm

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks