General

  • Target

    SecuriteInfo.com.Trojan.MulDrop.1161.895.14575

  • Size

    504KB

  • Sample

    200801-98s75eftva

  • MD5

    32ffae9524a6321051248e4313c91852

  • SHA1

    5e28c29f740842a5eee6f2717d25f86dd3b0f752

  • SHA256

    6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33

  • SHA512

    60bb5521d91b14e510d10df9a21619c81724b81cf5d999f7719ca433f7d34da81b06f9cb982a4bec42e78d92b892c8181adc326669b2a0446e6adf1114468cc7

Malware Config

Extracted

Family

lokibot

C2

http://dresson1.com/wip-admin/js/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      SecuriteInfo.com.Trojan.MulDrop.1161.895.14575

    • Size

      504KB

    • MD5

      32ffae9524a6321051248e4313c91852

    • SHA1

      5e28c29f740842a5eee6f2717d25f86dd3b0f752

    • SHA256

      6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33

    • SHA512

      60bb5521d91b14e510d10df9a21619c81724b81cf5d999f7719ca433f7d34da81b06f9cb982a4bec42e78d92b892c8181adc326669b2a0446e6adf1114468cc7

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks