General
-
Target
SWIFT Transfer(103)CMRTG24264000825.exe
-
Size
560KB
-
Sample
240926-qectzasbjd
-
MD5
09d540fb3cd0d08a7e0b80279e24edda
-
SHA1
135468d20731746f2971a2d54ab2d427d9a268fa
-
SHA256
da670b909c2881ec6c0215bdebab544f72aca4e56af99581723f7cd08065dd60
-
SHA512
86979e8e02e7c5c1b0b555e7394d232110dbf027798bb87fa4afddaf7d28e4b292ec36e2ca7537710e0133d66b9d126aa16ccc419b74224da7158a4fde9186c3
-
SSDEEP
12288:Za8bQbYz7Jyj+z4AI1x13Ou4JsVGi+mXbsPKiB7XXQkR:ZpIY464AI1nOussgiRifH
Malware Config
Extracted
lokibot
http://168.100.10.152/index.php/7953330748856
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SWIFT Transfer(103)CMRTG24264000825.exe
-
Size
560KB
-
MD5
09d540fb3cd0d08a7e0b80279e24edda
-
SHA1
135468d20731746f2971a2d54ab2d427d9a268fa
-
SHA256
da670b909c2881ec6c0215bdebab544f72aca4e56af99581723f7cd08065dd60
-
SHA512
86979e8e02e7c5c1b0b555e7394d232110dbf027798bb87fa4afddaf7d28e4b292ec36e2ca7537710e0133d66b9d126aa16ccc419b74224da7158a4fde9186c3
-
SSDEEP
12288:Za8bQbYz7Jyj+z4AI1x13Ou4JsVGi+mXbsPKiB7XXQkR:ZpIY464AI1nOussgiRifH
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1