General

  • Target

    4b1015a15505f9f64de58bc00dd92570_JaffaCakes118

  • Size

    604KB

  • Sample

    240331-c8swdsch88

  • MD5

    4b1015a15505f9f64de58bc00dd92570

  • SHA1

    ecf2851628dc1b8ebf4ddbf529f687e334124622

  • SHA256

    b65b34a54593add5ada0cc781f370a27c19af92ff0f2621b1539efd90a001cde

  • SHA512

    182d535be9ad242de0d28c9c07415f47d79694cc37a5ff3a11ea4570a158d338094a4d7511d5493a4b0f736aa4fe28ec2c4a1fbde81e45a12284aed92c619949

  • SSDEEP

    12288:pwhvsUi07I6+ilA51YeMreCNUPGbt7cJWD:pMkUieI6+iY1urHKJW

Malware Config

Extracted

Family

lokibot

C2

http://checkvim.com/fd3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      4b1015a15505f9f64de58bc00dd92570_JaffaCakes118

    • Size

      604KB

    • MD5

      4b1015a15505f9f64de58bc00dd92570

    • SHA1

      ecf2851628dc1b8ebf4ddbf529f687e334124622

    • SHA256

      b65b34a54593add5ada0cc781f370a27c19af92ff0f2621b1539efd90a001cde

    • SHA512

      182d535be9ad242de0d28c9c07415f47d79694cc37a5ff3a11ea4570a158d338094a4d7511d5493a4b0f736aa4fe28ec2c4a1fbde81e45a12284aed92c619949

    • SSDEEP

      12288:pwhvsUi07I6+ilA51YeMreCNUPGbt7cJWD:pMkUieI6+iY1urHKJW

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks