General

  • Target

    new crypted.exe

  • Size

    599KB

  • Sample

    200630-hm2mbfl9dn

  • MD5

    528e2a7d71e7d96e8c8e59d5ebb2bd1c

  • SHA1

    54cd335268104d8b22d66a24796050ee48a3ac72

  • SHA256

    5f7ea0bdf9b037b2a19d42325085035c419f86d967814bf8f544b8eaa39841eb

  • SHA512

    46dd6d165fce867b2e3f3603d6c6ecbd1dd5c48d0a6ae2354fc7edf0254e2d0d6d45574db18731d73d43030322a4421614903049f6aa78aa4e144f783987b2aa

Malware Config

Extracted

Family

lokibot

C2

airmanselectiontest.com/oo/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      new crypted.exe

    • Size

      599KB

    • MD5

      528e2a7d71e7d96e8c8e59d5ebb2bd1c

    • SHA1

      54cd335268104d8b22d66a24796050ee48a3ac72

    • SHA256

      5f7ea0bdf9b037b2a19d42325085035c419f86d967814bf8f544b8eaa39841eb

    • SHA512

      46dd6d165fce867b2e3f3603d6c6ecbd1dd5c48d0a6ae2354fc7edf0254e2d0d6d45574db18731d73d43030322a4421614903049f6aa78aa4e144f783987b2aa

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks