General

  • Target

    534baf1e3052e01385f1a77c374d8249_JaffaCakes118

  • Size

    324KB

  • Sample

    240331-lrc82sac68

  • MD5

    534baf1e3052e01385f1a77c374d8249

  • SHA1

    06770bfc9ff1f15af83ffcf324c3034b1f52c294

  • SHA256

    813db55dac40b8997991910f6b37e14d79ffb6295c6811e762ec6f3db6a65fa2

  • SHA512

    d7ec8ac5327b9524c1a2a116d962006f7231fb306988ee788317efd5a83965322192e44c8a209fb6bf1d07ceb0ff2eaf545e0dd41d898838417d4e8b46b55714

  • SSDEEP

    6144:W34Ca/GvYdGoIbyDo85ThHxlesuGp2DGHN+7TyoHyhMB941LwxR:WX+GwdGoI+s81tTuext+vyofB9WEX

Malware Config

Extracted

Family

lokibot

C2

http://checkvim.com/fd7/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      534baf1e3052e01385f1a77c374d8249_JaffaCakes118

    • Size

      324KB

    • MD5

      534baf1e3052e01385f1a77c374d8249

    • SHA1

      06770bfc9ff1f15af83ffcf324c3034b1f52c294

    • SHA256

      813db55dac40b8997991910f6b37e14d79ffb6295c6811e762ec6f3db6a65fa2

    • SHA512

      d7ec8ac5327b9524c1a2a116d962006f7231fb306988ee788317efd5a83965322192e44c8a209fb6bf1d07ceb0ff2eaf545e0dd41d898838417d4e8b46b55714

    • SSDEEP

      6144:W34Ca/GvYdGoIbyDo85ThHxlesuGp2DGHN+7TyoHyhMB941LwxR:WX+GwdGoI+s81tTuext+vyofB9WEX

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks