General
-
Target
FedExReceiptAWB71870755047.gz
-
Size
462KB
-
Sample
240925-yyyvjsydnh
-
MD5
81853a6339dbd4764fd7f797899e5d9e
-
SHA1
6c49c49640c8ee135b8fb213289acb6afa59d9d6
-
SHA256
0402c3af8aa9ff3796ea28b8240ec3f113f825caad5dbada47b90dc13495cf5b
-
SHA512
5b29aaeff6453eb73939c690579aef7c8b2a5e7121d9845927834d216386ff974282f859f1d15cb3b5552e3639af31620f0f50cb00ca2f17d7d8562d15c5af94
-
SSDEEP
12288:yW2u2tzduWuO81WSJo1Kl7NXWIfelsKUZIm8:yWT2J81bm1KJNXWUGsH6m8
Malware Config
Extracted
lokibot
http://168.100.10.152/index.php/check?name=xil0pgeqwmv5hgg
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
FedEx Receipt_AWB# 71870755047.exe
-
Size
520KB
-
MD5
9b9b9861c4bac5b3265f5f2093160ecc
-
SHA1
1d0e49744c9d92e2e0ddef509603200a155d6fa9
-
SHA256
a7122fca4bb62f811710d0149828a2e542ef22f53124319d2f04eecd9abfbec8
-
SHA512
0f4b089a11cdd7e67b631e17956782bc4898da608e24bafd14d6eaaf8816f3bc2d3514b07cea3f5ce7e48e0df4a5963d967e440ee9b590ecf3a9d195f03e6dec
-
SSDEEP
12288:1Kg8bQbna+2a0zP1Hm/ecJcXKLUdhUIu4G6kR:kIa+LVOXKIdhUW0
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1