Overview

overview

10

Static

static

3

23ce210509...18.exe

windows7-x64

10

23ce210509...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23ce2105091ff8f721ff05b5adea9473_JaffaCakes118

  • Size

    230KB

  • Sample

    240508-h9hdyahb5s

  • MD5

    23ce2105091ff8f721ff05b5adea9473

  • SHA1

    3d427b0c8f7165ef5966fb0b22a6bf8768638e6b

  • SHA256

    da139240b18d550c7c38051e30bb83213e06273f1267ff5ac748e59ef9790bd6

  • SHA512

    1d21bea08e470dc0ad5b6b5381151f949e1c0c4bb2adcb417d59150a821e168572102367b43c423d5eed88f7f496024fb50388126150a8dc2b2ad3356ced563c

  • SSDEEP

    6144:iNe6CngtmMTiaYel88voZqJmwUlNRPo0tGUcqHuPz+Ng:iNBFXTqel88v0qgwUTFbTcSuau

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://lonqtek.com/eze/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      23ce2105091ff8f721ff05b5adea9473_JaffaCakes118

    • Size

      230KB

    • MD5

      23ce2105091ff8f721ff05b5adea9473

    • SHA1

      3d427b0c8f7165ef5966fb0b22a6bf8768638e6b

    • SHA256

      da139240b18d550c7c38051e30bb83213e06273f1267ff5ac748e59ef9790bd6

    • SHA512

      1d21bea08e470dc0ad5b6b5381151f949e1c0c4bb2adcb417d59150a821e168572102367b43c423d5eed88f7f496024fb50388126150a8dc2b2ad3356ced563c

    • SSDEEP

      6144:iNe6CngtmMTiaYel88voZqJmwUlNRPo0tGUcqHuPz+Ng:iNBFXTqel88v0qgwUTFbTcSuau

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks