Overview

overview

10

Static

static

1

566c2c6c5c...18.rtf

windows7-x64

10

566c2c6c5c...18.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    566c2c6c5c45306f03831e2c656267ec_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240518-yacmeacc24

  • MD5

    566c2c6c5c45306f03831e2c656267ec

  • SHA1

    689b81989a8bffcc5674f9389fd233348be46f08

  • SHA256

    329c3b1c04a4b64aa1f20adf2d8df0d409a0d8e816acf3f29e497d3b1946808b

  • SHA512

    7e2e028c86fbd6287a1db1a63e6516047fc69d7fad65f7abe41093bc27fe674e93aad9590ba72a28b457d1d9c0393954af54d5e2264f6a6bf0b091c49c496c95

  • SSDEEP

    24576:pd6qlMEjK59o/Uv9IXvaVojYaT5bDbZUgtUfLznefTHLtpxQrUjDuZ4O:y

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://gavrelssimonskype.su/wp/web-obtain/css/log/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      566c2c6c5c45306f03831e2c656267ec_JaffaCakes118

    • Size

      1.5MB

    • MD5

      566c2c6c5c45306f03831e2c656267ec

    • SHA1

      689b81989a8bffcc5674f9389fd233348be46f08

    • SHA256

      329c3b1c04a4b64aa1f20adf2d8df0d409a0d8e816acf3f29e497d3b1946808b

    • SHA512

      7e2e028c86fbd6287a1db1a63e6516047fc69d7fad65f7abe41093bc27fe674e93aad9590ba72a28b457d1d9c0393954af54d5e2264f6a6bf0b091c49c496c95

    • SSDEEP

      24576:pd6qlMEjK59o/Uv9IXvaVojYaT5bDbZUgtUfLznefTHLtpxQrUjDuZ4O:y

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks