General

  • Target

    f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b.exe

  • Size

    542KB

  • Sample

    241012-cgvkxawhlc

  • MD5

    727b91c3fd7ca790814a5eca87ba9dd7

  • SHA1

    3dcba9c3db41b556f1ca5cb73c0fcfa2713a639a

  • SHA256

    f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b

  • SHA512

    3b2b768a68449ad51db763a5e936fb189187d2c78f94ad25ad998f89fc75751a6e1e2ce4e3b63e0cec58e502271997180d4597fadd783284cf344c59f922164c

  • SSDEEP

    12288:/nw1qbuuNYABD1IKZ8zq91PXlzUWqp4L63psN1jQXCkR:/nehuHZOq9TF042x

Malware Config

Extracted

Family

lokibot

C2

http://touxzw.ir/sirr/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b.exe

    • Size

      542KB

    • MD5

      727b91c3fd7ca790814a5eca87ba9dd7

    • SHA1

      3dcba9c3db41b556f1ca5cb73c0fcfa2713a639a

    • SHA256

      f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b

    • SHA512

      3b2b768a68449ad51db763a5e936fb189187d2c78f94ad25ad998f89fc75751a6e1e2ce4e3b63e0cec58e502271997180d4597fadd783284cf344c59f922164c

    • SSDEEP

      12288:/nw1qbuuNYABD1IKZ8zq91PXlzUWqp4L63psN1jQXCkR:/nehuHZOq9TF042x

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks