General
-
Target
bff8cb2aefafe7c6ed5de903bdd1aa0f9cdb6514085ea82f982747ce9e7d6129.zip
-
Size
505KB
-
Sample
240908-qkm7wszgpd
-
MD5
f7f595eaf41f64ab7760a2949f7af920
-
SHA1
5c92357ed4fcc7c7a13a5c9e338f92827a4c72be
-
SHA256
ec8233d463e054913c841e9f95344144a382e4381bc62e867c6d2121fd577114
-
SHA512
f5dd72e30bccaee8d5e8f7cda60576957970a56689a3f5d35e1f88d0f620ec4ddf8b93b5881e3e0469570113d999b578aa9abb834b5dc305661ffabaca23a650
-
SSDEEP
12288:SMA3uu9lSxLIS/OvX9v8BB0VGCfZ9k50Ydr4fQJEcZDSaU02PK:SpeuCySWf+DwGQZ9k5044fQlZDr+K
Malware Config
Extracted
lokibot
http://104.248.205.66/index.php/pages?id=281164463123697
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
bff8cb2aefafe7c6ed5de903bdd1aa0f9cdb6514085ea82f982747ce9e7d6129.exe
-
Size
582KB
-
MD5
40a06f63a197fb03ef98a9abd5d32f38
-
SHA1
5c0d43b5f956715fa9e7b9277fe0268add2189f3
-
SHA256
bff8cb2aefafe7c6ed5de903bdd1aa0f9cdb6514085ea82f982747ce9e7d6129
-
SHA512
07c7c2c950594a512f1a10f5a1309ffd6ff85f785fb3d095931835660631127d0a1d90e49818fa296353c331377f134de518c963392df76dac96d362ad674e95
-
SSDEEP
12288:YpXRssSHKjOYw9ukiZ7F5mFLgdKhEAm58Q0qbkR:YpBssSq6tuk62Bg288QO
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1