General
-
Target
09092024130909092024FedExInvoice2447907012.gz
-
Size
456KB
-
Sample
240909-w1y7zsselq
-
MD5
353eed1166d4eb3a4045e6c39f5ac9fb
-
SHA1
e2b4b8a1d713266abe6658f87abdf1358a08cc78
-
SHA256
77edf4ddf550b66ef92240bbff45ed2e4eb3258a6dc6b1a02817cd63a8395d09
-
SHA512
d589e3a3feacaf2292f33f384d99726572c3039613ca79780a15a2729385b9a741afeaec10721b9d36d3c92f073b4b015851ef91205acae095e81fc1f6e15cea
-
SSDEEP
12288:FornzRxTflUq2JT6h8/9XFO7SBNrdNF26:K3TfyFV6ZkhG6
Malware Config
Extracted
lokibot
http://104.248.205.66/index.php/posts?edit=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
FedEx_Invoice 2447907012.exe
-
Size
517KB
-
MD5
21445c286b7686d1b3db46b9b5c2c93f
-
SHA1
1954986ecf57aea5f08a66e574784843bd8e0f55
-
SHA256
0fb11aa67f57a2615b32653bc67e989f87a73d84192f6d606ba3a3b1ff37c844
-
SHA512
e7729e18035bfdf58a8c1ef5bd2634429d856c4f054b05a5aa89798933859ba46829bbb69033da55e3bf73abc1a1501026f7910b9e943d04992bfbc8618be440
-
SSDEEP
12288:RsdojmLZc03370GI6gL9ivcxszqOD2B9i72lySkR:xj+G0m6DvcbEwkEyh
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1