Overview

overview

10

Static

static

3

6f004dab74...18.exe

windows7-x64

10

6f004dab74...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6f004dab74e4db0433422af9cd46b19d_JaffaCakes118

  • Size

    529KB

  • Sample

    240524-s15g8abb48

  • MD5

    6f004dab74e4db0433422af9cd46b19d

  • SHA1

    227ade00f1347398ab5b2134b081ae2cffb1f4d3

  • SHA256

    d4ebc053365ff7f5d3f2ea9f06d045c50315ff56e71dc3aa7fe1d008e2b19b23

  • SHA512

    3d7f9528091b1ba9cb2ae7bcf7ef9769161e421093cc9fe90e146ad963f52dcf995a92490d0f56b002034f74bd23162741adc7c0ff85451af0bacab5355b77ea

  • SSDEEP

    6144:HWspCZScSaSrBvqUZ2YmLwE7yZZdyUYu1I9GlXOBmR6dNwdB+aDhhv5k+QDQ8aKx:BpCZSB1I9Gl+EdwckY8b

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://frankjoe.uzocoms.eu/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      6f004dab74e4db0433422af9cd46b19d_JaffaCakes118

    • Size

      529KB

    • MD5

      6f004dab74e4db0433422af9cd46b19d

    • SHA1

      227ade00f1347398ab5b2134b081ae2cffb1f4d3

    • SHA256

      d4ebc053365ff7f5d3f2ea9f06d045c50315ff56e71dc3aa7fe1d008e2b19b23

    • SHA512

      3d7f9528091b1ba9cb2ae7bcf7ef9769161e421093cc9fe90e146ad963f52dcf995a92490d0f56b002034f74bd23162741adc7c0ff85451af0bacab5355b77ea

    • SSDEEP

      6144:HWspCZScSaSrBvqUZ2YmLwE7yZZdyUYu1I9GlXOBmR6dNwdB+aDhhv5k+QDQ8aKx:BpCZSB1I9Gl+EdwckY8b

    Score
    10/10
    lokibotcollectionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks