General

  • Target

    d643e3e957800987dc7e234102de3a5ee542fd0ee658a11563bc1ee890c5ff3c.gz

  • Size

    504KB

  • Sample

    240927-b8hjzs1hre

  • MD5

    74cf61b0440052d1e44fc3fae3404c92

  • SHA1

    48777fb975724f80a05ba9857b0fc2f4b8faee3b

  • SHA256

    d643e3e957800987dc7e234102de3a5ee542fd0ee658a11563bc1ee890c5ff3c

  • SHA512

    6ad8ed86c08b05d86f3824e42efe2081adcce73c8cbc8d0fa30bc041d86ea437d46321228904354dc6d7751ca2511010343f243b98f78d76639996fc3b0df540

  • SSDEEP

    12288:Twv7D5JX5/4j+zQf9hEz6c4BfFaXmjlILXXES2ye44:T+Da6Qf9hEx2i+mLH3e44

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/7953330748856

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SWIFT Transfer(103)CMRTG24264000825.exe

    • Size

      560KB

    • MD5

      09d540fb3cd0d08a7e0b80279e24edda

    • SHA1

      135468d20731746f2971a2d54ab2d427d9a268fa

    • SHA256

      da670b909c2881ec6c0215bdebab544f72aca4e56af99581723f7cd08065dd60

    • SHA512

      86979e8e02e7c5c1b0b555e7394d232110dbf027798bb87fa4afddaf7d28e4b292ec36e2ca7537710e0133d66b9d126aa16ccc419b74224da7158a4fde9186c3

    • SSDEEP

      12288:Za8bQbYz7Jyj+z4AI1x13Ou4JsVGi+mXbsPKiB7XXQkR:ZpIY464AI1nOussgiRifH

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks