General

  • Target

    1a4ca81acf3783f09aa8d756c939aff2004b0058bb56e4f50848f6d684038ab8.exe

  • Size

    414KB

  • Sample

    241122-xhdzrswmhv

  • MD5

    172c872657bda1b84496cab2fee53840

  • SHA1

    3ee54dcd67e09e9738af08ee46ac1452cf14d4e4

  • SHA256

    1a4ca81acf3783f09aa8d756c939aff2004b0058bb56e4f50848f6d684038ab8

  • SHA512

    312e99354f374ffddc02c4a93ac9a76db362a74079a906e8c5feabaa876ca006d3cd9338e4c933de65f17f9f0cfbe3a31546f8059b8ba13219695ad40fee1603

  • SSDEEP

    6144:GGxhLxuI6Gve+4IeZKw+LTTT0MpoY0ENnC3JdHPx3TI1m:vpxxziZKw+LwMEENnC3J/Gm

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=475803

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      1a4ca81acf3783f09aa8d756c939aff2004b0058bb56e4f50848f6d684038ab8.exe

    • Size

      414KB

    • MD5

      172c872657bda1b84496cab2fee53840

    • SHA1

      3ee54dcd67e09e9738af08ee46ac1452cf14d4e4

    • SHA256

      1a4ca81acf3783f09aa8d756c939aff2004b0058bb56e4f50848f6d684038ab8

    • SHA512

      312e99354f374ffddc02c4a93ac9a76db362a74079a906e8c5feabaa876ca006d3cd9338e4c933de65f17f9f0cfbe3a31546f8059b8ba13219695ad40fee1603

    • SSDEEP

      6144:GGxhLxuI6Gve+4IeZKw+LTTT0MpoY0ENnC3JdHPx3TI1m:vpxxziZKw+LwMEENnC3J/Gm

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks