General
-
Target
359fe1f262f7de4c4991f1d922a04fa0ee8c25862ca3045eb488c6468dcb717dN.exe
-
Size
564KB
-
Sample
241129-rmhwmazmey
-
MD5
22600b0c59204823fd23433a604f35c0
-
SHA1
58facd3e33dd239ac41164d6f8d8d8c375a00db7
-
SHA256
359fe1f262f7de4c4991f1d922a04fa0ee8c25862ca3045eb488c6468dcb717d
-
SHA512
c5c4fa54726e574bbdbb6441a9dd36e83533ff08b97b55be9ffc3c44b4f0cbd7e1b04068ac7068647fba24c7d454520c4f10df7b801e64b23cbcd13300818a5f
-
SSDEEP
12288:fiCb+eCSmPxlDUU+GRHGC+Y3MUCBFevWxiGuooHT7yUI0d8jZ/:TCr8XYcUCDjnuooHT71Iy8jZ/
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
359fe1f262f7de4c4991f1d922a04fa0ee8c25862ca3045eb488c6468dcb717dN.exe
-
Size
564KB
-
MD5
22600b0c59204823fd23433a604f35c0
-
SHA1
58facd3e33dd239ac41164d6f8d8d8c375a00db7
-
SHA256
359fe1f262f7de4c4991f1d922a04fa0ee8c25862ca3045eb488c6468dcb717d
-
SHA512
c5c4fa54726e574bbdbb6441a9dd36e83533ff08b97b55be9ffc3c44b4f0cbd7e1b04068ac7068647fba24c7d454520c4f10df7b801e64b23cbcd13300818a5f
-
SSDEEP
12288:fiCb+eCSmPxlDUU+GRHGC+Y3MUCBFevWxiGuooHT7yUI0d8jZ/:TCr8XYcUCDjnuooHT71Iy8jZ/
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1