General
-
Target
64665200a953a20b6f2a51b1071469a1d4984432da6384b76cc2bd81bd66f85a.exe
-
Size
608KB
-
Sample
240703-brkysathnr
-
MD5
f17d5a8b9a853e6f1647cfe74dfa8db8
-
SHA1
86cf4eefa5867518636070d71ef8448d8901c880
-
SHA256
64665200a953a20b6f2a51b1071469a1d4984432da6384b76cc2bd81bd66f85a
-
SHA512
c44a70526ca1fa3ab1900ea7526fe3970ea9c24652bf8aa331b9f77d072605d68767dd00f0afefd6525e3f667922c202215fa8e76b87a12c20fc2106043a5f70
-
SSDEEP
12288:UlrujSANT3ukfuZt1h/PyOgDvIZfcHgGc+4016Wm8+VWo2TtEtrddZN5/RqUQekR:UlqjFT3ukGrnPyPvI1cHg3WCVWLF
Malware Config
Extracted
lokibot
http://45.61.136.239/index.php/gyr.php?id=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
64665200a953a20b6f2a51b1071469a1d4984432da6384b76cc2bd81bd66f85a.exe
-
Size
608KB
-
MD5
f17d5a8b9a853e6f1647cfe74dfa8db8
-
SHA1
86cf4eefa5867518636070d71ef8448d8901c880
-
SHA256
64665200a953a20b6f2a51b1071469a1d4984432da6384b76cc2bd81bd66f85a
-
SHA512
c44a70526ca1fa3ab1900ea7526fe3970ea9c24652bf8aa331b9f77d072605d68767dd00f0afefd6525e3f667922c202215fa8e76b87a12c20fc2106043a5f70
-
SSDEEP
12288:UlrujSANT3ukfuZt1h/PyOgDvIZfcHgGc+4016Wm8+VWo2TtEtrddZN5/RqUQekR:UlqjFT3ukGrnPyPvI1cHg3WCVWLF
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-