General
-
Target
dd78820b9e65cea5f79c836569acabb0d30e3a0c811f7adb3041e05b3bb7ddb5.exe
-
Size
530KB
-
Sample
241004-r8c79szenn
-
MD5
e99e62a86238a84f6fc9bc4073aa4f8b
-
SHA1
372db4e91ca74c8eef9defc47b8cdd109ff20571
-
SHA256
dd78820b9e65cea5f79c836569acabb0d30e3a0c811f7adb3041e05b3bb7ddb5
-
SHA512
a7aaf89ae2d1b4d0e29caa293c75b90b6ac793e5821815810fc302c55e2b5fc85ba76428f229af95449f8ecf7c62e1f1a6cf2c255dd53d11353c40f6da651752
-
SSDEEP
12288:Cdfex0KH7J2p7TM8mZwpLS8bj025/wQkR:Smb0pnxpF024X
Malware Config
Extracted
lokibot
http://168.100.10.152/index.php/7953330748856
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
dd78820b9e65cea5f79c836569acabb0d30e3a0c811f7adb3041e05b3bb7ddb5.exe
-
Size
530KB
-
MD5
e99e62a86238a84f6fc9bc4073aa4f8b
-
SHA1
372db4e91ca74c8eef9defc47b8cdd109ff20571
-
SHA256
dd78820b9e65cea5f79c836569acabb0d30e3a0c811f7adb3041e05b3bb7ddb5
-
SHA512
a7aaf89ae2d1b4d0e29caa293c75b90b6ac793e5821815810fc302c55e2b5fc85ba76428f229af95449f8ecf7c62e1f1a6cf2c255dd53d11353c40f6da651752
-
SSDEEP
12288:Cdfex0KH7J2p7TM8mZwpLS8bj025/wQkR:Smb0pnxpF024X
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1