Overview

overview

10

Static

static

3

4492d19d68...18.exe

windows7-x64

10

4492d19d68...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4492d19d68954260f2e0107410b4ca29_JaffaCakes118

  • Size

    861KB

  • Sample

    240515-fb2ntahh26

  • MD5

    4492d19d68954260f2e0107410b4ca29

  • SHA1

    a868cf7984f82e26fc10042abd29d446fc00c60e

  • SHA256

    27fb1f8b290ec2212af9f5b2cbe26bcad4def0b89b479734adc2ae6d1d4840f0

  • SHA512

    0833b7e7e2ea47aaab5826fc8f9ecaa89ddb58ff21166bd223cffab837c358f1ef59df467b14476cbb8a68779f4e19dc447b6059c9b9c9b3b0d0fc401f3d4926

  • SSDEEP

    12288:mfAv6B8azBwdmiX+tGAHwp3pmYSdlpfPfvdcG8RSQOQA1533a1VC74/7jXB2wRsg:0k6+c2dm2AQp3awPvOQ4K19Xx2WswMO

Score
10/10
lokibotcollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://clotiahs.info/ret/four/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      4492d19d68954260f2e0107410b4ca29_JaffaCakes118

    • Size

      861KB

    • MD5

      4492d19d68954260f2e0107410b4ca29

    • SHA1

      a868cf7984f82e26fc10042abd29d446fc00c60e

    • SHA256

      27fb1f8b290ec2212af9f5b2cbe26bcad4def0b89b479734adc2ae6d1d4840f0

    • SHA512

      0833b7e7e2ea47aaab5826fc8f9ecaa89ddb58ff21166bd223cffab837c358f1ef59df467b14476cbb8a68779f4e19dc447b6059c9b9c9b3b0d0fc401f3d4926

    • SSDEEP

      12288:mfAv6B8azBwdmiX+tGAHwp3pmYSdlpfPfvdcG8RSQOQA1533a1VC74/7jXB2wRsg:0k6+c2dm2AQp3awPvOQ4K19Xx2WswMO

    Score
    10/10
    lokibotcollectionpersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks