General

  • Target

    527a3bc0b6281d3e65cb6b19801b1a9d748d5ac773fcb4655edc783534450816.exe

  • Size

    616KB

  • Sample

    241205-c1tgystphv

  • MD5

    17bf29a93776b4f6be948802f652e6a9

  • SHA1

    3e4727a68d9a4ee3dc3af79408d60916777c1546

  • SHA256

    527a3bc0b6281d3e65cb6b19801b1a9d748d5ac773fcb4655edc783534450816

  • SHA512

    df9c87a3e89790924d63afbd1dc339178d08b0f394da16b728ee67d994337096ff969de6224a49a4e6369a2329fe4db9e5a89eb6c3f4f068e56b0365d02f2d0e

  • SSDEEP

    12288:+y4IR4R52J+XtWdNIyh1yxrgS1j/3XRaOzqiCShFgw64mLobm/IRskR:H4Iee7XthkxkS1jMi/KIt

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/kings/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      527a3bc0b6281d3e65cb6b19801b1a9d748d5ac773fcb4655edc783534450816.exe

    • Size

      616KB

    • MD5

      17bf29a93776b4f6be948802f652e6a9

    • SHA1

      3e4727a68d9a4ee3dc3af79408d60916777c1546

    • SHA256

      527a3bc0b6281d3e65cb6b19801b1a9d748d5ac773fcb4655edc783534450816

    • SHA512

      df9c87a3e89790924d63afbd1dc339178d08b0f394da16b728ee67d994337096ff969de6224a49a4e6369a2329fe4db9e5a89eb6c3f4f068e56b0365d02f2d0e

    • SSDEEP

      12288:+y4IR4R52J+XtWdNIyh1yxrgS1j/3XRaOzqiCShFgw64mLobm/IRskR:H4Iee7XthkxkS1jMi/KIt

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks