General

  • Target

    DB9KJ06B1.gz

  • Size

    593KB

  • Sample

    240926-qsynlazbjm

  • MD5

    39958f4cbe4cea3d7e3c7dae5d21f8cd

  • SHA1

    0f1e3dbe6a625b06e350d8fa2817c3efe0d7509f

  • SHA256

    35c2024485f490d1a7ffffccfc6937df0b11b8676127fb432fe3b8e6b85e0ec9

  • SHA512

    ec39dc4d636dcd1459175f3ece69422aa96daf302063d4effdfb13447cb0bceff05546d481142f17b333f27d43fc6d865ba7a2e0e0ac4d064f066fac5f1318de

  • SSDEEP

    12288:P7xdjOUg3IKfNZiQTD4ckCq3co163RmWOLmOwNccCJg/MdJhXlkJB4g7:P7rpg3I7QTACrlQWOLmOwTby6V

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/7953330748856

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      DB9KJ06B1.exe

    • Size

      692KB

    • MD5

      f546c5045d223d52d10a11da4a9cf625

    • SHA1

      fb66509226ffdb1885770151dd6b19ecaafda5ad

    • SHA256

      75cc1ed940e44793e1ed307aef46b6f36eff0d69c70356c21b264caffedda4e9

    • SHA512

      5c2f8fc55e59b735173faf3178000ef7107da797b6fb9cc376fa1830067fe5d2f2606a5a19b6ec42f12614294eed0201e065913d11a6fb7954b187314d14edce

    • SSDEEP

      12288:78E8rixlaIH2qwgSUopK4kAC43a+f6fXmWOHsOuNicMJQckdmmdbcQTwnSkR:77fxlaIGgVQ1CxR2WOHsOuFxm8wnh

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks