General

  • Target

    80358303e33cef71434e6e4a621262c5.exe

  • Size

    570KB

  • Sample

    241119-gzwm5ssbkp

  • MD5

    80358303e33cef71434e6e4a621262c5

  • SHA1

    e7a22b4e5af741f9b4d9982f36164b276bba459a

  • SHA256

    f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7

  • SHA512

    5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e

  • SSDEEP

    12288:LUhTeWLn9xDFlYjueKNNuUlsrzwbxnmvGZiOveCdi:Pg9xDddNBxmvGZiOR

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.95/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      80358303e33cef71434e6e4a621262c5.exe

    • Size

      570KB

    • MD5

      80358303e33cef71434e6e4a621262c5

    • SHA1

      e7a22b4e5af741f9b4d9982f36164b276bba459a

    • SHA256

      f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7

    • SHA512

      5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e

    • SSDEEP

      12288:LUhTeWLn9xDFlYjueKNNuUlsrzwbxnmvGZiOveCdi:Pg9xDddNBxmvGZiOR

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks