lokibot | 6c11b5f1e85a276e82e0fcf65049fbd52406173aaec631cd8996f1fac18a0c36

Sharing

Copy URL

Twitter E-mail

General

Target

41b1711730c7ae3e9601df4422ab2594_JaffaCakes118
Size

6.0MB
Sample

240514-qxyt6ahf56
MD5

41b1711730c7ae3e9601df4422ab2594
SHA1

818d149bee398f7f3b6681529cfb91ebee7bd314
SHA256

6c11b5f1e85a276e82e0fcf65049fbd52406173aaec631cd8996f1fac18a0c36
SHA512

7f1d4a919bac1c53d3f17ad1f0835ad15c07b03541d392b44582647cad5f4127d1d127e871ecdb3a2e7c27e7fb3843f924ba21078eff878c1d312e22b395c367
SSDEEP

98304:KC21uSadgtPtKQlMCLTlQiKXtjBr2mHCJajyp8SnoXsC3U/iW7:KFT51L8tXCC98Em/iW7

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://fakeme.us/Panel/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Loki 1.8/Builder_Lifetime.exe
- Size
  
  367KB
- MD5
  
  5e85824cf5ae53b0e46afaacb011732b
- SHA1
  
  baa3b6b8bdd489cc4121688bbbafdffdce0da4f1
- SHA256
  
  f0e0aaaee50fa1bceb57e92777fbb8696514ea99a755214d2b49255d3f7538ed
- SHA512
  
  f55bbc8a4ecbedb8ebce746ad3d49de7703ce707f627e2ceba349d5f4414cc160be59be75d3a345109e9bf93c0ce1859eb5d21c010c5b7236d163500dd58ea9e
- SSDEEP
  
  6144:OeQybLGW2q0GZekNrSrSD9RBDbPkeVX6TuWkob3vHBRZ8wa7:mybLGDy3JBzDJXHWkoD/Zh2
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Loki 1.8/CookComputing.XmlRpcV2.dll
- Size
  
  120KB
- MD5
  
  537de6ee0a72601be1e1e452a3010954
- SHA1
  
  91f87bc5cc88249811dfcd130ccc2ca907eee2d3
- SHA256
  
  5826818bb43d41f6bc08722f036f3f9402dd53b6e6d6356caa5192fadf278451
- SHA512
  
  55eba8ba9d51bf5be2f8b40b68b0d162b6f1dfcc692d11e886a17d325fdb07c47965bd9fe590caafcf2a885f4b667b1e1a99a7467c5fc7ed45d214813fe91129
- SSDEEP
  
  3072:nYroBKFuiSfBStfhXjCjjETsm1cGvyN0rtmfeJyLG3CE2F+46tD1C2Eo:nwSfBStWnGvsPfeJyLGGKD1C2E
Score

1^/10
behavioral3 behavioral4
- Target
  
  Loki 1.8/Loki_original.exe
- Size
  
  294KB
- MD5
  
  5455364b437d431400267a9092d65442
- SHA1
  
  e34ddbf5ba33ffff8beca910cb17237553f4bfd1
- SHA256
  
  3ed5d687a46e865424395d3dd455f69c82ac0b22fa24f361db6e87e7aa5019bd
- SHA512
  
  a00fcf59f67062b112139b0ecdb9a65b9e80b63f90a0dcccc088100e65086e91d1cf704e1e48ef6093e5dcbcb996c00d242792fef7aafe220bacf453251f9f0a
- SSDEEP
  
  3072:wRb49OzAYn3a5O1mgxbnRQW1FkvHjhUfTEsS1yxrxzAycsFQ2D:wb49lQ1mgxbnRQW1FkvAeQxrxzDBp
Score

1^/10
behavioral5 behavioral6
- Target
  
  Loki 1.8/MRG.Controls.UI.dll
- Size
  
  11KB
- MD5
  
  f3ef809f9235900c0b086e1d22891321
- SHA1
  
  0251416274a1934d9461906e878858dec6be1a76
- SHA256
  
  7e27f1b12fe021a61fcbc5b349c75d49f0a41d6ea2556799d15948ce255c57fc
- SHA512
  
  5bcb9815c4a11583994168d704638b92f67313f36028bbd199c167fce2ecff16a98f3f0649d977b0784a45653ab0e4d22022ea24bfdbb46ac93693e3e7590311
- SSDEEP
  
  192:jKav8vl059O9z6b16UDauuuuuuUnGh4A7uf65I5BLZBGnn15sXQJ2NpQX:WapPcz6QruuuuuuUW4DC5I5BL7amQJ26
Score

1^/10
behavioral7 behavioral8
- Target
  
  Loki 1.8/NReadability.dll
- Size
  
  41KB
- MD5
  
  008fe03cbe1da5d1c39706d34fc8a85f
- SHA1
  
  87a8a21802c2cabcfe0bfad3f28eca6ac7a3f09c
- SHA256
  
  c057c61e1871252c98d4482fcd4a55713db2427d92dabf2d0e006bf948d0569f
- SHA512
  
  deb3494f34f9a0b3725ecf188ba19b28cb4d91185fe729b17d2140a19a9886f7e3ebeb1c74f8361adf65183c9cd7e1d770bc1a96d29bf81a3ea4c096ec695995
- SSDEEP
  
  768:aNTjuakP4LpHPvt3j+ahgZs/5wLEyCQ7G8Axuzdp2wT2+IyP6jsl6r2r5n:ad7kP4LpHXPSZ7LEFQ7G8Axuzj2wT2+V
Score

1^/10
behavioral10 behavioral9
- Target
  
  Panel/five/inc/class/misc.class.php
- Size
  
  66KB
- MD5
  
  619cd2ce2df8764750e66b4989c55ba8
- SHA1
  
  26ebf1af647c6a28f70b73e0263fd10da861b6f2
- SHA256
  
  b7d5548cbe65f4a3533708ad64309a4466022a9ce592bcf4cb42bd7d6dfe4c8e
- SHA512
  
  2e323b7a930065da53e19eb32911533733a3085700f5c3ec47448abc6e53f19f988d258c5ed8cf70d71eb7d3f795ceb4e8629cd635a2a3e07a9abaf5f3b93aac
- SSDEEP
  
  1536:Cwv+CpQQSfEv/CLCQecYeReGT6uNU51FXNtiLanesKY1K5Ue/iasa:CK+1T6qLcesKY1K5Psa
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  Panel/five/inc/class/mysqli.class.php
- Size
  
  76KB
- MD5
  
  ee9dbe92dd08c8f3a082ab46103ef4f8
- SHA1
  
  cd9beb16a8ceb9403101d77c5c596c657074ff83
- SHA256
  
  5eb284f8432c5f442de9bdd5e41ed303aa53f47d5e0da5b8d67e957bbbcacac6
- SHA512
  
  93e80b1da8b7f98a431c947bd435fc7f60b5e50a0af2ae9df1ecbd60f1d8ea0a709138cd40bca2ed6157f3a5d6e0ac3a29e358051ba37373315aa6ffc3e52638
- SSDEEP
  
  1536:kHgMcfeNcsDDkdnn5ssfTSxs51LsDZVrWD:pfeNct
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  Panel/five/inc/class/pCharts/class/pBarcode128.class.php
- Size
  
  6KB
- MD5
  
  a9fc8013bd8f51789fb657199b502637
- SHA1
  
  7e862deba68e60a997f42e2e1c757ba2e90d1b9b
- SHA256
  
  070c18ed48a10fa0a26482426ccc20f494dbbb79b0ca6d8b70ffb2685947ba8f
- SHA512
  
  078652a07045e226541e411ce67a478f570f29b4a9fc3b234f58c16cf29e31c35ac9b12c9859530c4fab89aa8a9fe1d36cb4c7b48a55cbb79b92718903c27a61
- SSDEEP
  
  96:MoB3gDYR4btt/uGPyDWIesaS7f3HddPsoEXAkM:MoB3eYRyEGPyDWHsaS7tOoEXAkM
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Panel/five/inc/class/pCharts/class/pBarcode39.class.php
- Size
  
  7KB
- MD5
  
  ff78588d44eece5ad0436581257b9e9f
- SHA1
  
  810e27278870cb260bef6d9b7794f56cbfde54b3
- SHA256
  
  7d82743e15cf0d6de4412fc116c4fe1ce932c0116ca2a10f46962b1ed33735a2
- SHA512
  
  f7f0cf43116cc7f28159f2c8315967dcf003f9fa5f88a01b4d44c080ccdd77336c9f5bb7d4e54333abe9e981000e5655b9eed4d6588415db1c2caef75505740c
- SSDEEP
  
  96:eoB3gDYaWiATbK1/7IQri2vZO9zwfcS7+HddPsoEzzXAkM:eoB3eYZiACtI+i2RO9zWcSIOoEHXAkM
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Panel/five/inc/class/pCharts/class/pBubble.class.php
- Size
  
  14KB
- MD5
  
  e297812e01d2338df95c40a74bf3699e
- SHA1
  
  09c88abe3d5b789d7668b3dd05d62b701273a9d6
- SHA256
  
  bde928ec2a3d04012a2a5aa652b9f9b0f9dc70c8d0789f70fca2917f519b88f4
- SHA512
  
  3d8acc03675f933f068b6554a87d56c326f6bd1b60a9167e38ad424982b7d971b8bb639d71a0da5f405002844582b04196d0fe370b7a17be46c7f7a5465a7f60
- SSDEEP
  
  96:toB3gDTXYQO49Wy65dra3Xte7WxvjauVZsmfes0IUWlnb5y8bkzxy8br8p77pvK0:toB3eTXYQO49Wx5dW3XiWJsS08pyhE
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Panel/five/inc/class/pCharts/class/pCache.class.php
- Size
  
  8KB
- MD5
  
  718b4ca4d55c403332a3477a10161789
- SHA1
  
  97d6cef62fe9e14f9a871648953ee2bc2538e45c
- SHA256
  
  d7d4f3dbaf3a39ee73056cd1c9690ebeb3370528f720e0de145db78c211856ec
- SHA512
  
  fb0aee797f7c1b6b02390a35ea673abd0406bed44454e4ab8bd38dc7ad176db5155cdb2b058df3894edc7468f5dfb93494e042546e236fa06a2ce7ab52052f5c
- SSDEEP
  
  192:VoB3eY60PKKfm2q5HNZVo/vQG0lJeMjDK5Fvjy7:6O8CFTiEGjy7
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Panel/five/inc/class/pCharts/class/pData.class.php
- Size
  
  30KB
- MD5
  
  5f125e49f5fb06094f12aa27dbfa31ed
- SHA1
  
  aff84d0e69f85c91705208029bf88dd8b4d5cacd
- SHA256
  
  f705add7a7e20a5603b432d97a80170a9d31dc4de449a6a0ce014b4169582b1b
- SHA512
  
  0b4c073ffbcf8e4c7932c121bde44698656b0ab19dac98692f2e83470510a1829d09eee6418e47237cac115bed25f8d319525f13ad7a2e4fc7876016a3d3c6b8
- SSDEEP
  
  384:PO7Ex4JPAMRdTXm9KbSX5hyxUgMsS6sz8n8pwvQJxISbcV5s3NA:SExmnzm9KbK58Ojsoz8n8psIISbh2
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Panel/five/inc/class/pCharts/class/pDraw.class.php
- Size
  
  319KB
- MD5
  
  0b9bbffe4c457652343862347e1357ef
- SHA1
  
  23d4591b018f5d133ecdff92e387877b0845b432
- SHA256
  
  97201d530c4745751246ed4639cf24e3342ce0a4a3de885b2e969e1cdc1bf3db
- SHA512
  
  20cd48f0119681a925950eb5771cb884eb5a8e980d8e931df130320febd99724cb66e0c4f5cbd6a2f7e1ee190a7f505a5a5426e0831daae6d817b1bbdfa9a149
- SSDEEP
  
  1536:PkqjoqKdH5Isz01Dx0MBDK5BgJctv5VqFhuQAqoXkbETmuDodIE0XX3nz:EmF4QAqhbETmuDoOE0XX3nz
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Panel/five/inc/class/pCharts/class/pImage.class.php
- Size
  
  19KB
- MD5
  
  de8a9c64df37a59ca0d4932414c817de
- SHA1
  
  429b0b9dcc9e3843976dcb14c16e45a874208309
- SHA256
  
  40a1105c0b71544cc8352fefacf982252d0cbf68c7b2ce57ac010cf152537028
- SHA512
  
  952dd9538fdbf743a726b57772bc64c51c5ef158328f2f638d12fc6a79cd87c748f858637c7950618437aabc3164e535bf32b5604fcd1e0f225b19c84754f1c1
- SSDEEP
  
  192:goB3enohsCfN2o7auOmPhTRzTePSmjfqmfLCEm1ty297z2yr36zhaa4aY665ppLP:lOoFAmPhTRzZmTCFZJfFAu
Score

3^/10

execution
behavioral27 behavioral28
- Target
  
  Panel/five/inc/class/pCharts/class/pIndicator.class.php
- Size
  
  11KB
- MD5
  
  4ac9195a473ab04729bb513852bc1bc7
- SHA1
  
  af605e8882ce5ec6b41b3902b75414fdf4e54257
- SHA256
  
  03db301cb33d99a591f32ac3050b24b360434759c4cf6ea835612e4516bef920
- SHA512
  
  d7c3e887f0e467fe72c155be1dab637fb9d368ef08cd6d36857bb0185a1f1d2792643df791b8209b2325d8c27dd6e1a78ed8531f3a6e0996156b95101747832e
- SSDEEP
  
  192:tjoB3eGZNS+1uFIgn1QKAlOpFCpK7TWOe:6OQ4ntpopBj
Score

3^/10

execution
behavioral29 behavioral30
- Target
  
  Panel/five/inc/class/pCharts/class/pPie.class.php
- Size
  
  65KB
- MD5
  
  4a8df9c68451a7846fbbfb5213c450d8
- SHA1
  
  768de54634a27f2899887630427aea84bdd87bfc
- SHA256
  
  a84369ce6edeaef275e6973227e6212df23234e9c4649e73354b9b247559a13d
- SHA512
  
  ecf9a4d38dd3c18db9b48e872a5289fea5d648bd53a335322cac2015a57083d3e2fdd4213c197904cbf0af61a160a58d0317c7f72a03e93dc7d5257870fab9b3
- SSDEEP
  
  1536:QQaY0UNjLGv8S6STShvmv1jSXSNBOBVSTSBvmvGO+vUSsk6V:owO7
Score

3^/10

execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32