General
-
Target
74061922f1e78c237a66d12a15a18181.exe
-
Size
586KB
-
Sample
241120-h5ykcstlaw
-
MD5
74061922f1e78c237a66d12a15a18181
-
SHA1
e31ee444aaa552a100f006e43f0810497a3b0387
-
SHA256
89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
-
SHA512
306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136
-
SSDEEP
12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
74061922f1e78c237a66d12a15a18181.exe
-
Size
586KB
-
MD5
74061922f1e78c237a66d12a15a18181
-
SHA1
e31ee444aaa552a100f006e43f0810497a3b0387
-
SHA256
89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
-
SHA512
306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136
-
SSDEEP
12288:frO3+Ri3AgFdygxDJz5WFux50+KnCKmfRLdW3Kt9c+O7:LQ3AgyKJdG+wmNdsKM+O7
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1