General
-
Target
DB9KJ06B11.gz
-
Size
464KB
-
Sample
240926-qsyctszbjl
-
MD5
cfe3037fd1bf611098d20b7a1681ecbd
-
SHA1
ca79d366f2c5fc269798fd987b58ea2f89e7a510
-
SHA256
fb8a5918cf7f8582b8cfde83cca1d43603a40df011522d2cce5f84cb3d20981c
-
SHA512
32d8a05b795b54f4c17bb58e87e4c147803701c6aa5003ab359ea7dc08afcc11247e449d55e022c3fbeff453d7badd9e0a833cb5363f55264e9fc7f3eaca1087
-
SSDEEP
12288:jvrgkHfRqX+377vIGoZ2pvSqBFeOIJnzUgr9d8hAd:j7/YXI7rx3PFl+n4Od
Malware Config
Extracted
lokibot
http://168.100.10.152/index.php/7953330748856
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
DB9KJ06B11.exe
-
Size
530KB
-
MD5
e99e62a86238a84f6fc9bc4073aa4f8b
-
SHA1
372db4e91ca74c8eef9defc47b8cdd109ff20571
-
SHA256
dd78820b9e65cea5f79c836569acabb0d30e3a0c811f7adb3041e05b3bb7ddb5
-
SHA512
a7aaf89ae2d1b4d0e29caa293c75b90b6ac793e5821815810fc302c55e2b5fc85ba76428f229af95449f8ecf7c62e1f1a6cf2c255dd53d11353c40f6da651752
-
SSDEEP
12288:Cdfex0KH7J2p7TM8mZwpLS8bj025/wQkR:Smb0pnxpF024X
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1