Overview

overview

10

Static

static

3

57b32bdc1c...18.exe

windows7-x64

10

57b32bdc1c...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    57b32bdc1cc1398bd45704adf17f5835_JaffaCakes118

  • Size

    693KB

  • Sample

    240519-a28l6ahc96

  • MD5

    57b32bdc1cc1398bd45704adf17f5835

  • SHA1

    6a19d34239014af5a81bb104c9c83e7a47da8ac4

  • SHA256

    d3b907e0a51770ee3ac166c231ad5e15a77d9c71399587a5ffde9518e2dbf2b9

  • SHA512

    d1c2a36ceb83bd8443d0993433406af78cdd756b8bba5526f642f0d4d38d7fabdd67164940146254c0b2b03cd1c38f958cfa20eb7957e57f2098695275c7d803

  • SSDEEP

    12288:daRcNdXuXAbodrGevgEefZnGhFNEvRWlQ+esTCm38E:d/uL7HAF092mM

Score
10/10
lokibotbootkitcollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://herold.nextlevlcourier.com/sop/anel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      57b32bdc1cc1398bd45704adf17f5835_JaffaCakes118

    • Size

      693KB

    • MD5

      57b32bdc1cc1398bd45704adf17f5835

    • SHA1

      6a19d34239014af5a81bb104c9c83e7a47da8ac4

    • SHA256

      d3b907e0a51770ee3ac166c231ad5e15a77d9c71399587a5ffde9518e2dbf2b9

    • SHA512

      d1c2a36ceb83bd8443d0993433406af78cdd756b8bba5526f642f0d4d38d7fabdd67164940146254c0b2b03cd1c38f958cfa20eb7957e57f2098695275c7d803

    • SSDEEP

      12288:daRcNdXuXAbodrGevgEefZnGhFNEvRWlQ+esTCm38E:d/uL7HAF092mM

    Score
    10/10
    lokibotbootkitcollectionpersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks