Overview

overview

10

Static

static

1

02_2019_Or...ed.exe

windows7-x64

7

02_2019_Or...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c8fbe5f101bd928862a47d95ea90903_JaffaCakes118

  • Size

    792KB

  • Sample

    240523-225n2scg55

  • MD5

    6c8fbe5f101bd928862a47d95ea90903

  • SHA1

    c6634bdf8b5a1b5f45903f8755ae524ee1205138

  • SHA256

    73e86b788261e8a4b97b6922627e3710235f97a69d68d9f950f195dbf0481687

  • SHA512

    1280b8ec3b1c7ef7a1c1f4fc332aa603dafc5661507ce0b459bf9cb21a84793392f83b53fa3d0a8e624003651bbf621d69c37c03458c64f3f8ce02c88cfe46f4

  • SSDEEP

    24576:VCHv3YrXNfyvJToSSLwnNCDwQDImcViQM3bN:Vs3YtE8zmMDwgcah

Score
10/10
lokibotagilenetcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://hmsd.us/loki/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      02_2019_Order_Package_20180329_06575998876_2019_signed.exe

    • Size

      947KB

    • MD5

      a0618e93947b2aeb2275200f18b4ae6b

    • SHA1

      d3f3b4741a04877a06c9307cf7d0e0daa9d48e36

    • SHA256

      7737901daf766eed03fa7a2bd4317a71760bd680fdadd4a827431774d984757a

    • SHA512

      33c5c6b4d555e87775b6680dd5dd25f009f94b0fd05876dc63344e5ee0d52d2df940923db819ff31437bb4132f94a73c70390596b63d643bb7d58b73dd80c09d

    • SSDEEP

      12288:+JsocMd7RpR66ri/hp4vKNZUuOKE0Cgoe4fLYwLcfCLFSLfmez:+m3w7Rb66+/YhM8fecYKcqZSH

    Score
    10/10
    agilenetlokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks