General
-
Target
megerosites (2).cmd
-
Size
1.1MB
-
Sample
240715-l6v3ea1dkn
-
MD5
65cefbbc1cd33cd5e6b220e902627156
-
SHA1
81c4a718ef62b40bba30efd9e792cc73350f18cc
-
SHA256
bc19489508c3e815809eba7c3b901b0adaf21c246dc33032f4aea7d36d0cbc4b
-
SHA512
b0c102cc67b30ed3bbe9c2f350a8b7a82415c178dff930cdfd096b07ce65cf224b0659259598c03ecbd0f3f45b9771d39a811ec754afdbfd914842cd6769d924
-
SSDEEP
24576:d5rzaUcNwB7ZxrwCx2bTRVEtbstfpf0VlvAB/h/FO7d:dJz4CvxwCxiRVwmpcVu/k
Malware Config
Extracted
lokibot
http://104.248.205.66/index.php/modify.php?edit=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
megerosites (2).cmd
-
Size
1.1MB
-
MD5
65cefbbc1cd33cd5e6b220e902627156
-
SHA1
81c4a718ef62b40bba30efd9e792cc73350f18cc
-
SHA256
bc19489508c3e815809eba7c3b901b0adaf21c246dc33032f4aea7d36d0cbc4b
-
SHA512
b0c102cc67b30ed3bbe9c2f350a8b7a82415c178dff930cdfd096b07ce65cf224b0659259598c03ecbd0f3f45b9771d39a811ec754afdbfd914842cd6769d924
-
SSDEEP
24576:d5rzaUcNwB7ZxrwCx2bTRVEtbstfpf0VlvAB/h/FO7d:dJz4CvxwCxiRVwmpcVu/k
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-