Overview

overview

10

Static

static

1

98e1aa492f...0b.exe

windows7-x64

10

98e1aa492f...0b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    208c31479a014536a9fe9c13acc0d403.bin

  • Size

    452KB

  • Sample

    240621-c2qsfswdqf

  • MD5

    3cd9e08f3140a1e1c3115ce8d7fd0762

  • SHA1

    67bb5f6b667ad4e715a1e34339fdebcba41a89e0

  • SHA256

    9c0b6b97d59b6256d1c6fde1d047f1fa24d1c911f2772f55a4fdad608b484e09

  • SHA512

    e0d2cd5c4bc94d4880c44c2c095543a59c35118eace1850d65d1aaf8e7c5e33ba4297c6b594e89239fce279805c7c24c1dcef429e4a8b5aa1315d2951795153b

  • SSDEEP

    12288:YLmdAVhjfSTrT7lKKeFkOEnpiCsux21Sr:QajxmkOYpiCsumSr

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://midwestsoil.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b.exe

    • Size

      490KB

    • MD5

      208c31479a014536a9fe9c13acc0d403

    • SHA1

      e9e082b4a5cbd4ce17168d4164dfa6fab84bf2cd

    • SHA256

      98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b

    • SHA512

      c1835226ae6bafd4309806773dbfd782dd39f71ffc760a74a822559b017457d9ac1b4f7e53f53bde1bd16150b454d7732855588eba6fc8513ff2a4ac00e98b2a

    • SSDEEP

      12288:+3Omoel/jaCQRwfzt/sWo5hZg1OpckFqUj7DWkR:Hmnl/2Cy/5hi0WkFlN

    Score
    10/10
    lokibotcollectionexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks