General
-
Target
8c7e9d4d5f172854a531a86d34af2c8c
-
Size
123KB
-
Sample
220505-hsnjmafdb5
-
MD5
8c7e9d4d5f172854a531a86d34af2c8c
-
SHA1
43d99c2bf4d5fce1b640b4ee65b234ced6292c35
-
SHA256
7eaffbf0e048501f710bef50d95d59870d638c7e64225397f1ae1d03014c8b19
-
SHA512
d8b28dd232248da57d2762363661a80762c17822baff5d1a3efdd4ae1e160b6a85f77d9f5a09e1ebe0b653e8dbdbde65b36c08873a8d8ed5bfb3a9d48c865c5c
Malware Config
Extracted
lokibot
http://37.0.11.227/sarag/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
8c7e9d4d5f172854a531a86d34af2c8c
-
Size
123KB
-
MD5
8c7e9d4d5f172854a531a86d34af2c8c
-
SHA1
43d99c2bf4d5fce1b640b4ee65b234ced6292c35
-
SHA256
7eaffbf0e048501f710bef50d95d59870d638c7e64225397f1ae1d03014c8b19
-
SHA512
d8b28dd232248da57d2762363661a80762c17822baff5d1a3efdd4ae1e160b6a85f77d9f5a09e1ebe0b653e8dbdbde65b36c08873a8d8ed5bfb3a9d48c865c5c
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-