General

  • Target

    givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta

  • Size

    178KB

  • Sample

    241118-v6j5kssbql

  • MD5

    e80a6dc30c45134e8c433ef07277022f

  • SHA1

    9041ab7b0cf03e4c18f86ff32eac95c3ad06f462

  • SHA256

    11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182

  • SHA512

    6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8

  • SSDEEP

    96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta

    • Size

      178KB

    • MD5

      e80a6dc30c45134e8c433ef07277022f

    • SHA1

      9041ab7b0cf03e4c18f86ff32eac95c3ad06f462

    • SHA256

      11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182

    • SHA512

      6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8

    • SSDEEP

      96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks