General
-
Target
55127da3b4387da4ea48571773289074_JaffaCakes118
-
Size
713KB
-
Sample
240518-ra4bsseg5x
-
MD5
55127da3b4387da4ea48571773289074
-
SHA1
8cf29c6214317f6dedb09311ea40f73c17b1ff79
-
SHA256
124a062c4d1f1cba2d7e1e5477a424912b164b8d0b04e025e1d81ad6df9e95e6
-
SHA512
8858d372b323fd762a3a8db5948645264c4aaa4151622daa58d4bf7a5c5490adf23a9c55a2657a10d4ff21cd1eb9e8618d9e72c3bb2991d7b84059ef987eeaf1
-
SSDEEP
6144:Y31BCNpiOFU0t40vsqUdOx69t45KZ6CUNDsnfsbEWiR/iHpGsKx:YnE0Z02qUdOQ97ZMO8EBqHkx
Malware Config
Extracted
lokibot
http://monclaer.com/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
55127da3b4387da4ea48571773289074_JaffaCakes118
-
Size
713KB
-
MD5
55127da3b4387da4ea48571773289074
-
SHA1
8cf29c6214317f6dedb09311ea40f73c17b1ff79
-
SHA256
124a062c4d1f1cba2d7e1e5477a424912b164b8d0b04e025e1d81ad6df9e95e6
-
SHA512
8858d372b323fd762a3a8db5948645264c4aaa4151622daa58d4bf7a5c5490adf23a9c55a2657a10d4ff21cd1eb9e8618d9e72c3bb2991d7b84059ef987eeaf1
-
SSDEEP
6144:Y31BCNpiOFU0t40vsqUdOx69t45KZ6CUNDsnfsbEWiR/iHpGsKx:YnE0Z02qUdOQ97ZMO8EBqHkx
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-