General

  • Target

    408d4e2d074aae3cea6ef4b0e5692396_JaffaCakes118

  • Size

    514KB

  • Sample

    240330-vw9bqabb94

  • MD5

    408d4e2d074aae3cea6ef4b0e5692396

  • SHA1

    e90832ba56d3b3098254e8b63bee9818d9b4dfc4

  • SHA256

    cf0aeb6b5855b1a72e19c50f9d662e765435c2d701b0ea88bb9c4bfe168f1a94

  • SHA512

    8ad90f4cf36c4bf0f4f6515f7f12e7385b7addcf70708880064b82be52aab263fd8976ffa182d37dc0c93ec320301820208f3d46fe4cc9811241257774d73324

  • SSDEEP

    6144:QIIOc8oTJ5H6MFohvg6ZGOSyO1kc8mwe+23cKG1VEl+I0FEuiQYcsYxPrEPoN7WI:tIOc8oT70hvSlv10/zEZQzvxjNi8E70

Malware Config

Extracted

Family

lokibot

C2

http://136.243.159.53/~element/page.php?id=423

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      408d4e2d074aae3cea6ef4b0e5692396_JaffaCakes118

    • Size

      514KB

    • MD5

      408d4e2d074aae3cea6ef4b0e5692396

    • SHA1

      e90832ba56d3b3098254e8b63bee9818d9b4dfc4

    • SHA256

      cf0aeb6b5855b1a72e19c50f9d662e765435c2d701b0ea88bb9c4bfe168f1a94

    • SHA512

      8ad90f4cf36c4bf0f4f6515f7f12e7385b7addcf70708880064b82be52aab263fd8976ffa182d37dc0c93ec320301820208f3d46fe4cc9811241257774d73324

    • SSDEEP

      6144:QIIOc8oTJ5H6MFohvg6ZGOSyO1kc8mwe+23cKG1VEl+I0FEuiQYcsYxPrEPoN7WI:tIOc8oT70hvSlv10/zEZQzvxjNi8E70

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks