General

  • Target

    9f259eea8c8508b1b3c77ebde3441e0c8618e253739e4ce469a93d9fd33264af.exe

  • Size

    719KB

  • Sample

    250226-eprkbsxps6

  • MD5

    4e4108ccf43fde81b96e2606d38628a0

  • SHA1

    7e557a4e252df3f86b6fa10e61d558ed15727345

  • SHA256

    9f259eea8c8508b1b3c77ebde3441e0c8618e253739e4ce469a93d9fd33264af

  • SHA512

    3fe601d94128cbca5a506ed88fcd45b16e69fdd8e3ff85b3286dc8039479c1dd3eaecff62d7126902a742fbeaee301485f1d011720d263883698dbc20b2edd4e

  • SSDEEP

    12288:WdOWWvUe3yT2+gGYuSBAlz68Xbi1UfkNyC63r47ofWS42q0R7E0UkyT27kR:ooUe0ke+sekkod747A42qqANpX

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/sss1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      9f259eea8c8508b1b3c77ebde3441e0c8618e253739e4ce469a93d9fd33264af.exe

    • Size

      719KB

    • MD5

      4e4108ccf43fde81b96e2606d38628a0

    • SHA1

      7e557a4e252df3f86b6fa10e61d558ed15727345

    • SHA256

      9f259eea8c8508b1b3c77ebde3441e0c8618e253739e4ce469a93d9fd33264af

    • SHA512

      3fe601d94128cbca5a506ed88fcd45b16e69fdd8e3ff85b3286dc8039479c1dd3eaecff62d7126902a742fbeaee301485f1d011720d263883698dbc20b2edd4e

    • SSDEEP

      12288:WdOWWvUe3yT2+gGYuSBAlz68Xbi1UfkNyC63r47ofWS42q0R7E0UkyT27kR:ooUe0ke+sekkod747A42qqANpX

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks