General

  • Target

    7c7f42431e94008eaf3e6857101792e4.bin

  • Size

    493KB

  • Sample

    241121-btxelaybkn

  • MD5

    39f7b114cd02e7c530589711cd559329

  • SHA1

    74acb13185f6394eedf99ca8f4e0003db5c68ade

  • SHA256

    b5068640a028fb4bd5fa3d40aebe53fab5d62039f8131d56fb9490ece0a4f6f5

  • SHA512

    618b62c134124f3ff4dc94611a9ea502a2c99d5dc330482d5160686ee0453eef0586a2a1e94823e3774b2aebc8da658c396c8f86bbced7fdb4b35bdc6d148747

  • SSDEEP

    12288:GkZsRzYEoINLBdVOSaLI487FZtuPpOSdObKatlcf/uZmMtBd0qH:T0YELNnVOSd573tuBobKaL/IMR0G

Malware Config

Extracted

Family

lokibot

C2

http://87.120.113.235/18/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a4e13d5ddfed2748925ccf8cb2a08cf03f992de943e195aa73411e1fd2efab80.exe

    • Size

      518KB

    • MD5

      7c7f42431e94008eaf3e6857101792e4

    • SHA1

      973497ad5d0725b431d1d9b3f2c8f2ef7c20382a

    • SHA256

      a4e13d5ddfed2748925ccf8cb2a08cf03f992de943e195aa73411e1fd2efab80

    • SHA512

      fa54bcd4394326c6e5c44841d31f29c0011ebb088b8d85d8d1b4054c6207a9dccc6b92e4e54c9574763cf06df1c521dee458aabaee7cc4ff40a5110e735d3b6c

    • SSDEEP

      12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPi2AAGXBvFwkmy:Zq5TfcdHj4fmbJ09ekx

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks