General

  • Target

    SKMBT_28320062618070.exe

  • Size

    305KB

  • Sample

    200630-n8paft7gjs

  • MD5

    beed61c6f7049b8775e2f2a56290e402

  • SHA1

    736c845087f1a147a435aaa8452fba00754edd20

  • SHA256

    bd6db82e76d317027f409e907b46cc03a4c9591d175bcf03164c98f3e50d6aed

  • SHA512

    bc5d272d9e53db802c4b05b39ab7b512c29f66966f8ab9804939ac77e4753feddb19b62f5f7005c355649dd844c33d47cce7c8cc2fc0d6bf338627feb3e084b4

Malware Config

Extracted

Family

lokibot

C2

http://nightmarefile.ga/Jay/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SKMBT_28320062618070.exe

    • Size

      305KB

    • MD5

      beed61c6f7049b8775e2f2a56290e402

    • SHA1

      736c845087f1a147a435aaa8452fba00754edd20

    • SHA256

      bd6db82e76d317027f409e907b46cc03a4c9591d175bcf03164c98f3e50d6aed

    • SHA512

      bc5d272d9e53db802c4b05b39ab7b512c29f66966f8ab9804939ac77e4753feddb19b62f5f7005c355649dd844c33d47cce7c8cc2fc0d6bf338627feb3e084b4

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks