Overview

overview

10

Static

static

3

a4376197cd...f1.exe

windows7-x64

10

a4376197cd...f1.exe

windows10-2004-x64

7

$PLUGINSDI...cg.dll

windows7-x64

10

$PLUGINSDI...cg.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a4376197cd1336a10c511df285f5b18279286c0ef5fc6b1b3311cda7b9b823f1.exe

  • Size

    240KB

  • Sample

    241123-zwppjaspej

  • MD5

    2cfaa6cf4d372c280aa47834acdc4cbb

  • SHA1

    88cf6da35d42edcb043b665ef90deb14bc3f58ea

  • SHA256

    a4376197cd1336a10c511df285f5b18279286c0ef5fc6b1b3311cda7b9b823f1

  • SHA512

    c9b3e8edc09853881859fbf1dcb9987c48473ded97b2124657f9fb538d2e3d48fb283b5eb5f032999de885037baca9b4472d15812bc1c6f02d3e7c94f25601be

  • SSDEEP

    6144:wBlL/cK00E317OnqTuU9mteavU7FUkhIlUZIf0zXXn+Zdl/3:CeKC17OnQm0avU7lhYgXXno9

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=719442

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a4376197cd1336a10c511df285f5b18279286c0ef5fc6b1b3311cda7b9b823f1.exe

    • Size

      240KB

    • MD5

      2cfaa6cf4d372c280aa47834acdc4cbb

    • SHA1

      88cf6da35d42edcb043b665ef90deb14bc3f58ea

    • SHA256

      a4376197cd1336a10c511df285f5b18279286c0ef5fc6b1b3311cda7b9b823f1

    • SHA512

      c9b3e8edc09853881859fbf1dcb9987c48473ded97b2124657f9fb538d2e3d48fb283b5eb5f032999de885037baca9b4472d15812bc1c6f02d3e7c94f25601be

    • SSDEEP

      6144:wBlL/cK00E317OnqTuU9mteavU7FUkhIlUZIf0zXXn+Zdl/3:CeKC17OnQm0avU7lhYgXXno9

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/bssmcg.dll

    • Size

      20KB

    • MD5

      b7240550e69f1fe5d37e59ad792b79bb

    • SHA1

      d3ec1ae9889a3b792fc7ca6c720d3dcdc273bf92

    • SHA256

      b6d65ca328946cac1a89d24c8e45ffed411357c0b51549083c4cf0874b1d231b

    • SHA512

      4996fff77e9683961a7290cfd25d8cbd14edfe5f548d09b645a884e9d9567d0e65366058318c2eeeea0aaf3654dde5be052526445e1fde17d46c416f4ef65599

    • SSDEEP

      384:58sy9SgatMMonfmUmuD+GFu8y8qVtM0nmkrVBrnZ6gdb:58sy96M+UcGFDlqrM0HrVpZ7

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks