General

  • Target

    59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4.exe

  • Size

    586KB

  • Sample

    241123-cw7h1s1rfp

  • MD5

    66b03d1aff27d81e62b53fc108806211

  • SHA1

    2557ec8b32d0b42cac9cabde199d31c5d4e40041

  • SHA256

    59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

  • SHA512

    9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

  • SSDEEP

    12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4.exe

    • Size

      586KB

    • MD5

      66b03d1aff27d81e62b53fc108806211

    • SHA1

      2557ec8b32d0b42cac9cabde199d31c5d4e40041

    • SHA256

      59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

    • SHA512

      9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

    • SSDEEP

      12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks