General
-
Target
d99afa31e5c8c86e3c68827c2b4f22a4273ef584bd1512b0c735f080e7bfd155.exe
-
Size
531KB
-
Sample
241123-xblq2azph1
-
MD5
594ac980fc6e93dec43db41be88c69de
-
SHA1
1a2b0e5e051ea5c684bb8f4ddb55abce29da790b
-
SHA256
d99afa31e5c8c86e3c68827c2b4f22a4273ef584bd1512b0c735f080e7bfd155
-
SHA512
d094e89240e61844d3484b2db6cd10da4902494f6dd10663649acf0f11e0d79053cffe3a74735bdc51ba1d3989953bf092857a41871c4c1b392b4e59d842f9c3
-
SSDEEP
12288:IkgzrbsG+zYluM/r+JiC3L9ptKQvxXWsyZuZiTJfoXSJhVXBG:lm/ZuIFo8hVXBG
Malware Config
Extracted
lokibot
http://37.0.10.190/non/z/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
d99afa31e5c8c86e3c68827c2b4f22a4273ef584bd1512b0c735f080e7bfd155.exe
-
Size
531KB
-
MD5
594ac980fc6e93dec43db41be88c69de
-
SHA1
1a2b0e5e051ea5c684bb8f4ddb55abce29da790b
-
SHA256
d99afa31e5c8c86e3c68827c2b4f22a4273ef584bd1512b0c735f080e7bfd155
-
SHA512
d094e89240e61844d3484b2db6cd10da4902494f6dd10663649acf0f11e0d79053cffe3a74735bdc51ba1d3989953bf092857a41871c4c1b392b4e59d842f9c3
-
SSDEEP
12288:IkgzrbsG+zYluM/r+JiC3L9ptKQvxXWsyZuZiTJfoXSJhVXBG:lm/ZuIFo8hVXBG
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-