General

  • Target

    33ac1abeed677145c72e052090128240_JaffaCakes118

  • Size

    360KB

  • Sample

    240511-kdbydsbf55

  • MD5

    33ac1abeed677145c72e052090128240

  • SHA1

    40749f98558e83bab556634465af0a69dd1d7e1d

  • SHA256

    b764bde02596d5b472c235c8c220d84954e0a5af8d4c5219c88ced543b1b3b30

  • SHA512

    8ec56fca76c85d81202fa1b20e8f08cf4708f0b74501336cd69154b19340225dcaa5d956ac41d0ad4356f25e7aac288016d1912f3c22f79a4bbf37fb640c19d0

  • SSDEEP

    6144:cgHiDc5fBEVq4woFigKhPD7g5Z2xk9ae5K0FbIqQ26JAIjYLACkTmyF:c0mcWdL2PD7qJawK0pIqQ26Jbnf

Malware Config

Extracted

Family

lokibot

C2

http://sabzihome.com/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      NOA EVER BEING V.0885-019B.pdf.exe

    • Size

      665KB

    • MD5

      5565e697fe031404302628fed6d0d5e0

    • SHA1

      040e597eacf7a0d1947b4bf89d65ffbef0cbc1e2

    • SHA256

      90a81b30439b28f93aedd6c172dc5caf76c2f350f6c1b11eacaedc8dc80edf52

    • SHA512

      fbff8f182cb4de7a00560f707e0bb48bc0f2995e94ae29b88757ad905cde6ebcd8d3f152b89e8039cb3009dd2739dd817dd28f53b3f23d92fdc4eba51bec6c19

    • SSDEEP

      12288:rmp9XVk3rNq8srw+ZdKSsWItO8n+D0s+rIJDe54KZiHKkSi:QlQNqHMWKKcAFrJCdsN

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks