General
-
Target
SWIFT Transfer(103)CMRTG24264000825.gz
-
Size
504KB
-
Sample
240926-qsz7eszblk
-
MD5
74cf61b0440052d1e44fc3fae3404c92
-
SHA1
48777fb975724f80a05ba9857b0fc2f4b8faee3b
-
SHA256
d643e3e957800987dc7e234102de3a5ee542fd0ee658a11563bc1ee890c5ff3c
-
SHA512
6ad8ed86c08b05d86f3824e42efe2081adcce73c8cbc8d0fa30bc041d86ea437d46321228904354dc6d7751ca2511010343f243b98f78d76639996fc3b0df540
-
SSDEEP
12288:Twv7D5JX5/4j+zQf9hEz6c4BfFaXmjlILXXES2ye44:T+Da6Qf9hEx2i+mLH3e44
Malware Config
Extracted
lokibot
http://168.100.10.152/index.php/7953330748856
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SWIFT Transfer(103)CMRTG24264000825.exe
-
Size
560KB
-
MD5
09d540fb3cd0d08a7e0b80279e24edda
-
SHA1
135468d20731746f2971a2d54ab2d427d9a268fa
-
SHA256
da670b909c2881ec6c0215bdebab544f72aca4e56af99581723f7cd08065dd60
-
SHA512
86979e8e02e7c5c1b0b555e7394d232110dbf027798bb87fa4afddaf7d28e4b292ec36e2ca7537710e0133d66b9d126aa16ccc419b74224da7158a4fde9186c3
-
SSDEEP
12288:Za8bQbYz7Jyj+z4AI1x13Ou4JsVGi+mXbsPKiB7XXQkR:ZpIY464AI1nOussgiRifH
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1