Overview

overview

10

Static

static

1

25a2064d88...e0.exe

windows7-x64

10

25a2064d88...e0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    25a2064d88df7b8a4d10beb5047e6d9781e1225fe4c05da6e7a2addcb63109e0.exe

  • Size

    615KB

  • Sample

    240821-lyqsqasarh

  • MD5

    9f9181ca97352b11ff711c85b4c11a7b

  • SHA1

    819e999ccc39fac46727b363e7850f14c1e45c2a

  • SHA256

    25a2064d88df7b8a4d10beb5047e6d9781e1225fe4c05da6e7a2addcb63109e0

  • SHA512

    cbe608d3068ce258b8ea353928c26dcc8d690e2d23951ca5042a020a790703719163fec24c4567ca8548cdc39a4ad9761462e5c3ea071cc8e3d67bdcafe3b5aa

  • SSDEEP

    12288:5IJ2iNz42eWzSB9OsHHxcdnfsiwnj4KsnUm9L6YgNDgVyvAkR:g1x4HWzSB9OsHH0U9jPsnUm96YgJgVu

Score
10/10
lokibotcollectioncredential_accessdiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/modify?file=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      25a2064d88df7b8a4d10beb5047e6d9781e1225fe4c05da6e7a2addcb63109e0.exe

    • Size

      615KB

    • MD5

      9f9181ca97352b11ff711c85b4c11a7b

    • SHA1

      819e999ccc39fac46727b363e7850f14c1e45c2a

    • SHA256

      25a2064d88df7b8a4d10beb5047e6d9781e1225fe4c05da6e7a2addcb63109e0

    • SHA512

      cbe608d3068ce258b8ea353928c26dcc8d690e2d23951ca5042a020a790703719163fec24c4567ca8548cdc39a4ad9761462e5c3ea071cc8e3d67bdcafe3b5aa

    • SSDEEP

      12288:5IJ2iNz42eWzSB9OsHHxcdnfsiwnj4KsnUm9L6YgNDgVyvAkR:g1x4HWzSB9OsHH0U9jPsnUm96YgJgVu

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryexecutionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks