Overview

overview

10

Static

static

3

0620ab84a4...eb.exe

windows7-x64

10

0620ab84a4...eb.exe

windows10-2004-x64

7

$PLUGINSDI...vs.dll

windows7-x64

10

$PLUGINSDI...vs.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe

  • Size

    406KB

  • Sample

    241124-demb7awrel

  • MD5

    42954817f830f1df94113a43b4a592ea

  • SHA1

    bbb14840fa7b225e98bf4d80d91adda19a27dd20

  • SHA256

    0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb

  • SHA512

    eaff6c0cdf4d2c954ca70058c0755ca66f486c08e720f1f93bdc5f0e6e989b7adef41fc84409bc7273e907051e718f4a96618011bb9419166bbaf19c885f393a

  • SSDEEP

    6144:hBlL/hlqQxBiHB354KnTppIOtFCGArQ3DOgcdkoMF247Ssd/6HQzXG:nMHAKnTsOtFTAQDOgZLFVGtHQzXG

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/ga19/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb.exe

    • Size

      406KB

    • MD5

      42954817f830f1df94113a43b4a592ea

    • SHA1

      bbb14840fa7b225e98bf4d80d91adda19a27dd20

    • SHA256

      0620ab84a45ac413a3ce956eaf04c3a5ac8bc20983c4d3ddfc4a1ef18b2bddeb

    • SHA512

      eaff6c0cdf4d2c954ca70058c0755ca66f486c08e720f1f93bdc5f0e6e989b7adef41fc84409bc7273e907051e718f4a96618011bb9419166bbaf19c885f393a

    • SSDEEP

      6144:hBlL/hlqQxBiHB354KnTppIOtFCGArQ3DOgcdkoMF247Ssd/6HQzXG:nMHAKnTsOtFTAQDOgZLFVGtHQzXG

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/fqfwqcrlvs.dll

    • Size

      48KB

    • MD5

      2dcfaed029e76d404de8c562e9618fc3

    • SHA1

      ad586f14bf71ea471905da2e424e872432f60d5e

    • SHA256

      54e000d6cbf51dbda212135ecaeae42da9bbd5e4d42bfe472c1df975308ef4ec

    • SHA512

      953da849e7f926ff617a9aca550bda7693b66a58a86da4ae202d4423a926a0d0adfaf7331d9ca113f0f5c867ebaa703f467b642e2ac3735ba811868cebf0427a

    • SSDEEP

      768:n/7Fk2J334zzF1UJ+Eyp/VBdnU/4tK+Fg4JvXQxkAUQxg9q:n/7XVIzzF12+EsdnW4I+FJJ/Qx0lq

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks