General

  • Target

    0a7aed545d82f26a87de1cca47796231_JaffaCakes118

  • Size

    244KB

  • Sample

    240328-tyfxhsbe58

  • MD5

    0a7aed545d82f26a87de1cca47796231

  • SHA1

    ae96f05b50c0fa4e92010c60091f09767aa9cf91

  • SHA256

    ae394cbd22d622c2b70db9e5dac86cd3806f4bd77e58d87cf3d66889d863b839

  • SHA512

    25c67f08bfe084b43ca6b41c591cea578d6c89da4461987c00604d72e6bd715eda4b2b286c4fe678d96724b453879d5e4d600f88298f27e8ec2e1ced570f91f0

  • SSDEEP

    6144:wBlL/cejlrttsrf2gR8cK+c363Znl3y19KZ6D:Ceejl4rugec373yPD

Malware Config

Extracted

Family

lokibot

C2

http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      0a7aed545d82f26a87de1cca47796231_JaffaCakes118

    • Size

      244KB

    • MD5

      0a7aed545d82f26a87de1cca47796231

    • SHA1

      ae96f05b50c0fa4e92010c60091f09767aa9cf91

    • SHA256

      ae394cbd22d622c2b70db9e5dac86cd3806f4bd77e58d87cf3d66889d863b839

    • SHA512

      25c67f08bfe084b43ca6b41c591cea578d6c89da4461987c00604d72e6bd715eda4b2b286c4fe678d96724b453879d5e4d600f88298f27e8ec2e1ced570f91f0

    • SSDEEP

      6144:wBlL/cejlrttsrf2gR8cK+c363Znl3y19KZ6D:Ceejl4rugec373yPD

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/ilydrm.dll

    • Size

      42KB

    • MD5

      0a1ddcb22e0e985306480ac4aa415494

    • SHA1

      fb7e0634cf441c2fbe7243ed6375b4b3842b9044

    • SHA256

      90fdd61c4c83d9c35fcdffccc2953a0fe7ab3956a16d81072546d7d3301ba622

    • SHA512

      433d58dee50d5f56fd787b6a1fb0d595b3d1f40e95c243336220d062abb15e2f653ea37f23cc2702fbc2d27a6df3ce68d2578aa1ff64df1a6eb18b39bf5e7592

    • SSDEEP

      768:+7Y7+jTu71Hpg/DUBCU5h4plz3QFywFgy7y6AfYSWHX9bz:+7Yij67p5BGqFgYLApWHB

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks