General
-
Target
009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118
-
Size
552KB
-
Sample
240426-mst4maef92
-
MD5
009652ad8cba8a42caa9db1c8d0931b7
-
SHA1
e1bdb522bcdf2651f9a4137efc6ec6a7d824b734
-
SHA256
a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650
-
SHA512
6029d9b677bef6b49042bd90eb313db1ac1e609b8fcafa685af21a8c275d28af208b63e945e80c0a87d43b6d881a3785aadba6229a61ed969dfa642ebabaa980
-
SSDEEP
6144:hZmqhX7z0trUCSkKampadWo7C9VT+fw+70k5Xks4Rxqb++wi6RanU/E1W6w5Yh+4:HktZKtpaYTFtk514Sae6Raeqrh+WS4
Malware Config
Extracted
lokibot
http://185.24.233.117/~zadmin/aps/cache.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118
-
Size
552KB
-
MD5
009652ad8cba8a42caa9db1c8d0931b7
-
SHA1
e1bdb522bcdf2651f9a4137efc6ec6a7d824b734
-
SHA256
a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650
-
SHA512
6029d9b677bef6b49042bd90eb313db1ac1e609b8fcafa685af21a8c275d28af208b63e945e80c0a87d43b6d881a3785aadba6229a61ed969dfa642ebabaa980
-
SSDEEP
6144:hZmqhX7z0trUCSkKampadWo7C9VT+fw+70k5Xks4Rxqb++wi6RanU/E1W6w5Yh+4:HktZKtpaYTFtk514Sae6Raeqrh+WS4
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-