Overview

overview

10

Static

static

3

24ded3efef...cf.exe

windows7-x64

10

24ded3efef...cf.exe

windows10-2004-x64

7

$PLUGINSDI...nc.dll

windows7-x64

10

$PLUGINSDI...nc.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

  • Size

    243KB

  • Sample

    241123-chwjla1nal

  • MD5

    29da8eb9acf3ebdc502817638363b27d

  • SHA1

    1ddb4024670a1e8efd12617ea811fb307072af20

  • SHA256

    24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf

  • SHA512

    58f8f6cb0eaf944dbacd2a804f29870abe34f70d10ccc3335598e982ccb03edb96311a9d2a9c798f8357a43f47b24921cfa3e0e584056d0d27ca2a75fde83d7c

  • SSDEEP

    6144:wBlL/cfBxf0vg+5XB2rZV7CkBFMjEThPBr46Lf8ar:CefBf0IrZ1Cjc26L0ar

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf.exe

    • Size

      243KB

    • MD5

      29da8eb9acf3ebdc502817638363b27d

    • SHA1

      1ddb4024670a1e8efd12617ea811fb307072af20

    • SHA256

      24ded3efefa92fa8688bd29a894401110acf86bb610df5adbd4a5b5a14f65ecf

    • SHA512

      58f8f6cb0eaf944dbacd2a804f29870abe34f70d10ccc3335598e982ccb03edb96311a9d2a9c798f8357a43f47b24921cfa3e0e584056d0d27ca2a75fde83d7c

    • SSDEEP

      6144:wBlL/cfBxf0vg+5XB2rZV7CkBFMjEThPBr46Lf8ar:CefBf0IrZ1Cjc26L0ar

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/chbtjlxnc.dll

    • Size

      32KB

    • MD5

      04e7cb86dc41703a5cf85fc5876ca52c

    • SHA1

      c1b4b144bcfbb9cb60f0feb98c74aeb1ca83abea

    • SHA256

      f151cb8d01bd600340425aed959eff4e663db50941ccba81bee3d94f5ae4e486

    • SHA512

      7c38ab8869747baa87473804cca219969534b71cfdd91b01e2a63b84fc7964fbdbbff7f56f336c2d5bac4031e8ede1e39e1d723854f3f7713b9d1ec37f7d3646

    • SSDEEP

      768:jm79oRz5DjnPKkSnu9OfiIkuy8nEVFCvLSVrSIaonoIxGRBUxNku6:SPqFZdaontxGUxNZ6

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks