General

  • Target

    63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b.exe

  • Size

    594KB

  • Sample

    241115-c21yeswqgy

  • MD5

    62fda9bddb8cf5a4b641de014e050653

  • SHA1

    532bdadc95a530e10ed2f7e377f37018cfca6b0e

  • SHA256

    63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b

  • SHA512

    e1e71ec6589252b6f75c707c90c6115a0cc4b5515a56914a2e10a126b19ed4fda7bc6e3af0c43a96b63306ed82cc573a8a6118c3cc25b370adf3c632222a585e

  • SSDEEP

    12288:1XOIWF8UKoZbJxNS6iod1/KNrxIvU2xp1lAlR6kCJVM0K:RWhxNBiMI5KvtqlR6kCJVTK

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b.exe

    • Size

      594KB

    • MD5

      62fda9bddb8cf5a4b641de014e050653

    • SHA1

      532bdadc95a530e10ed2f7e377f37018cfca6b0e

    • SHA256

      63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b

    • SHA512

      e1e71ec6589252b6f75c707c90c6115a0cc4b5515a56914a2e10a126b19ed4fda7bc6e3af0c43a96b63306ed82cc573a8a6118c3cc25b370adf3c632222a585e

    • SSDEEP

      12288:1XOIWF8UKoZbJxNS6iod1/KNrxIvU2xp1lAlR6kCJVM0K:RWhxNBiMI5KvtqlR6kCJVTK

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks