General

  • Target

    fac41e4e724bf794af1a1e2df965c665_JaffaCakes118

  • Size

    914KB

  • Sample

    240419-vlwymsah7v

  • MD5

    fac41e4e724bf794af1a1e2df965c665

  • SHA1

    7acf73099786c571cc4c8353c7d1c4896d7e631c

  • SHA256

    d5ad8ba8690a44f1f566b3ae03eb053eaeb9290f34a05480494cc51c2df2794b

  • SHA512

    4bae3433c0bfcd9624d3dc94d507ab9ed0abdd59b24cfb046301eaf44a78e0b8b873596aba7eaa56cf02a2389aa7591eddf43c45d317a8467e713cc4ee98f7d0

  • SSDEEP

    12288:fmwg6Guy1lexmRwefisAs5/d3Xh1lkxO7p/KviAgM9fLzJoPxxltyOqK4T:N/05/d3H6QQDXJuLyOq

Malware Config

Extracted

Family

lokibot

C2

http://apponline354.ir/kiriko/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      fac41e4e724bf794af1a1e2df965c665_JaffaCakes118

    • Size

      914KB

    • MD5

      fac41e4e724bf794af1a1e2df965c665

    • SHA1

      7acf73099786c571cc4c8353c7d1c4896d7e631c

    • SHA256

      d5ad8ba8690a44f1f566b3ae03eb053eaeb9290f34a05480494cc51c2df2794b

    • SHA512

      4bae3433c0bfcd9624d3dc94d507ab9ed0abdd59b24cfb046301eaf44a78e0b8b873596aba7eaa56cf02a2389aa7591eddf43c45d317a8467e713cc4ee98f7d0

    • SSDEEP

      12288:fmwg6Guy1lexmRwefisAs5/d3Xh1lkxO7p/KviAgM9fLzJoPxxltyOqK4T:N/05/d3H6QQDXJuLyOq

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks