Overview

overview

10

Static

static

3

a013b7c79b...18.exe

windows7-x64

10

a013b7c79b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ac82a4aa50ad21a166029cedbcde551f.bin

  • Size

    573KB

  • Sample

    240614-c4mtksscrd

  • MD5

    717a2251047a6afd862862c36ec50af2

  • SHA1

    92b39eb7097a138e134106ef71391ac55a9df635

  • SHA256

    f96f66ed4d79565b462172a1e6f0a66ebdee9da9f54d7ebe28a569cc548888b6

  • SHA512

    32230cbdad9fd95488ecebb52cd885c5153671e037550051a0b1f9ae649825aa18a3c2033f36cf5d7df59ca806f674746c9a07a12691989ec1205f28538be8a9

  • SSDEEP

    12288:eF4LfZwMAiPhD4vN7Rb2rc4rt7lLOAWGGG7OmnRjFUvTyaNA+HteqAK:eOLfOqU67rt7lLOBGGG64P+JSuP

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.136.239/index.php/9460648709801952970

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018.exe

    • Size

      743KB

    • MD5

      ac82a4aa50ad21a166029cedbcde551f

    • SHA1

      26eed14a90fd7f8992660d375f3b77342183b13a

    • SHA256

      a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018

    • SHA512

      887790abbeca7376e17e4ceb35a6ee4819398c788ab7fce2e7be2868793b379b8f97926f003e584e9240dc73485aa7b7519c2a6d4707bd27c0fb1aa9def01145

    • SSDEEP

      12288:hDfjMCvBwgSlhsAg1DI+VNJXZ+KJsVDoCOzJ9BZ83hMbcl+SDvXQKEmz:hDfggSlK71DIuZ+Cs2FwujSDvqm

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks