Overview

overview

10

Static

static

1

27a31bb63b...18.rtf

windows7-x64

10

27a31bb63b...18.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27a31bb63bd705c8f48ed9d0fe457349_JaffaCakes118

  • Size

    724KB

  • Sample

    240509-bs6a4saf7z

  • MD5

    27a31bb63bd705c8f48ed9d0fe457349

  • SHA1

    b51ed1f439b535f986f13480d65bb770e3817ad7

  • SHA256

    40c8077131f4d635924d0948059b6a834a0bf5ad82692d67203deb715d065d91

  • SHA512

    bc7b4df2dcc84ae735fb4aee364ab9f985cc4c7a39e8d7c6d5dff2cf437743751b599ac90ca798c643b261cbeefbdb5cf33f9ca7c722a7c104242304e000571b

  • SSDEEP

    12288:HQPeWsDY0kXbI80vIsRdznAx9MEH+3yaOXGXav:wPFs0Xt0QGdzA3JSyajXQ

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://woodindustriesincs.com/book/file2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      27a31bb63bd705c8f48ed9d0fe457349_JaffaCakes118

    • Size

      724KB

    • MD5

      27a31bb63bd705c8f48ed9d0fe457349

    • SHA1

      b51ed1f439b535f986f13480d65bb770e3817ad7

    • SHA256

      40c8077131f4d635924d0948059b6a834a0bf5ad82692d67203deb715d065d91

    • SHA512

      bc7b4df2dcc84ae735fb4aee364ab9f985cc4c7a39e8d7c6d5dff2cf437743751b599ac90ca798c643b261cbeefbdb5cf33f9ca7c722a7c104242304e000571b

    • SSDEEP

      12288:HQPeWsDY0kXbI80vIsRdznAx9MEH+3yaOXGXav:wPFs0Xt0QGdzA3JSyajXQ

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks