General

  • Target

    SHIPPING_DOCS_WAN_HAI_pdf.exe

  • Size

    240KB

  • Sample

    200630-jnlvr1s28n

  • MD5

    9f687baad6cff9deb8ed43bbc7a383f4

  • SHA1

    c3d355cc10d044964fdb1d563afc525b25d8e98f

  • SHA256

    df1f012094e4d7601eecac850af54eb268691a8dd95f79fae052e6b7588780f5

  • SHA512

    9c8d40a4346279c9ad5add328a3695ab4a80decbcc580edcb5a998896018c63af1bc84028e6d574635c77194e7ee970b195c89724ebf59541154c7896efe45f2

Malware Config

Extracted

Family

lokibot

C2

http://flexpak-th.com/osama/aboki/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SHIPPING_DOCS_WAN_HAI_pdf.exe

    • Size

      240KB

    • MD5

      9f687baad6cff9deb8ed43bbc7a383f4

    • SHA1

      c3d355cc10d044964fdb1d563afc525b25d8e98f

    • SHA256

      df1f012094e4d7601eecac850af54eb268691a8dd95f79fae052e6b7588780f5

    • SHA512

      9c8d40a4346279c9ad5add328a3695ab4a80decbcc580edcb5a998896018c63af1bc84028e6d574635c77194e7ee970b195c89724ebf59541154c7896efe45f2

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks