General
-
Target
Obrazac za povrat novca 202400097004892.cmd.e.exe
-
Size
817KB
-
Sample
240703-hw3sqawdnp
-
MD5
cae1057e3be1c54b180e5d099a700b74
-
SHA1
ef526b7d49e2f5fb3fe318df5594a76962e5207f
-
SHA256
866c6f0599d2375ac1d50a165f5735c74b980bc6bdea3f023522f897999f6770
-
SHA512
a5c5bd7ca101cd2693eb29c23962307fef200a108a130854da28f8f1d2f55139888dad4819c65647ed234ec1392457ffe85f22b7927c4e3228cbeca3f83328c9
-
SSDEEP
12288:SKld2Nf+wJEhJaeS4U/zMdX5da8ErxKyJQ/lDm6QBJ5Ye2ErnhyIc97aO3/87TzA:wzEhJnSbOX5da83liYnH3EDsnhr
Malware Config
Extracted
lokibot
http://104.248.205.66/index.php/modify.php?edit=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Obrazac za povrat novca 202400097004892.cmd.e.exe
-
Size
817KB
-
MD5
cae1057e3be1c54b180e5d099a700b74
-
SHA1
ef526b7d49e2f5fb3fe318df5594a76962e5207f
-
SHA256
866c6f0599d2375ac1d50a165f5735c74b980bc6bdea3f023522f897999f6770
-
SHA512
a5c5bd7ca101cd2693eb29c23962307fef200a108a130854da28f8f1d2f55139888dad4819c65647ed234ec1392457ffe85f22b7927c4e3228cbeca3f83328c9
-
SSDEEP
12288:SKld2Nf+wJEhJaeS4U/zMdX5da8ErxKyJQ/lDm6QBJ5Ye2ErnhyIc97aO3/87TzA:wzEhJnSbOX5da83liYnH3EDsnhr
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-