General

  • Target

    dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta

  • Size

    178KB

  • Sample

    241119-gqwa1ssaml

  • MD5

    a54bdd270a424ec79b735ef6b513c2e4

  • SHA1

    465738a3e31b16ad80c44f3dc7bdd762e402cb51

  • SHA256

    dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

  • SHA512

    598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61

  • SSDEEP

    96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.95/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta

    • Size

      178KB

    • MD5

      a54bdd270a424ec79b735ef6b513c2e4

    • SHA1

      465738a3e31b16ad80c44f3dc7bdd762e402cb51

    • SHA256

      dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

    • SHA512

      598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61

    • SSDEEP

      96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks