General

  • Target

    Swift Copy .exe

  • Size

    204KB

  • Sample

    200630-yawt549ten

  • MD5

    3e16daba50a8be623cd5378cd88a7da9

  • SHA1

    8735613fbca79fb408ebe11568a5e9a6c03af556

  • SHA256

    7377850f0f7622852b75f56e363578aef1b24d85938525a1ea4364ec1b41c9c3

  • SHA512

    bee5356f34c2bb259845e93583c57d93cf1b4675cb5218e5ace6955c1def4255a072705b5783cf4ef06fd474e687e102e03f50aa13d38ac487b00baba14f2520

Malware Config

Extracted

Family

lokibot

C2

http://siiigroup.com/gst/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Swift Copy .exe

    • Size

      204KB

    • MD5

      3e16daba50a8be623cd5378cd88a7da9

    • SHA1

      8735613fbca79fb408ebe11568a5e9a6c03af556

    • SHA256

      7377850f0f7622852b75f56e363578aef1b24d85938525a1ea4364ec1b41c9c3

    • SHA512

      bee5356f34c2bb259845e93583c57d93cf1b4675cb5218e5ace6955c1def4255a072705b5783cf4ef06fd474e687e102e03f50aa13d38ac487b00baba14f2520

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks